detection.wiki

Microsoft-Windows-Directory-Services-SAM › Event 16413

Event ID 16413 — An error occurred when trying to remove the account Name from the group AccountName.

Provider
Microsoft-Windows-Directory-Services-SAM
Channel
System
Level
Informational

Description

An error occurred when trying to remove the account Name from the group AccountName. The problem, "GroupName", occurred when trying to remove the account from the group. Please remove the member manually.

Message #

An error occurred when trying to remove the account %1 from the group %2. The problem, "%3", occurred when trying to remove the account from the group.  Please remove the member manually.

Fields #

NameDescription
Name
AccountName UnicodeString
GroupName UnicodeString
ErrorString UnicodeString
Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Directory-Services-SAM",
    "guid": "0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE",
    "event_source_name": "",
    "event_id": 16413,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:14:31.656794+00:00",
    "event_record_id": 639,
    "correlation": {},
    "execution": {
      "process_id": 648,
      "thread_id": 652
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "SAMMSG_MEMBERSHIP_REMOVAL_SETUP_ERROR",
    "AccountName": "Network Service",
    "GroupName": "Performance Log Users",
    "ErrorString": "The system cannot find the file specified.\r\n",
    "Binary": "02000000"
  },
  "message": ""
}

References #