Security Enabled Local Group Member Removed: Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9

Details
Product: Windows Operating System
Event ID: 637
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_LOCAL_GROUP_REM
Message: Security Enabled Local Group Member Removed: Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9
   
Explanation

A user or group account was removed from a local security group on the computer or on the domain.

  • The Member Name field specifies the user or group account that was removed.
  • The Member ID field specifies the user’s domain-qualified user name.
  • The Target Account Name and Target Domain fields specify the group from which the user was removed.
  • The Target Account ID is the security identifier (SID) of the user or group account that was removed.
  • The Caller User Name specifies the user removed the user or group account.
  • The Caller Logon ID specifies logon ID of the user who removed the user or group account.
  • The Privileges field for this event is usually empty.
   
User Action

Confirm that the group removal operaiton is in compliance with the security policy of your organization.

Related:

Leave a Reply