Security Enabled Local Group Member Removed: Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9

Details
Product: Windows Operating System
Event ID: 637
Source: Security
Version: 5.2
Symbolic Name: SE_AUDITID_LOCAL_GROUP_REM
Message: Security Enabled Local Group Member Removed:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9
   
Explanation

A user or group account was removed from a local security group on the computer or on the domain.

  • The Member Name field specifies the user or group account that was removed.
  • The Member ID field specifies the user’s domain-qualified user name.
  • The Target Account Name and Target Domain fields specify the group from which the user was removed.
  • The Target Account ID is the security identifier (SID) of the user or group account that was removed.
  • The Caller User Name specifies the user removed the user or group account.
  • The Caller Logon ID specifies logon ID of the user who removed the user or group account.
  • The Privileges field for this event is usually empty.
   
User Action

Confirm that the group removal operaiton is in compliance with the security policy of your organization.

Related:

Leave a Reply