diff --git a/selftest/knownfail.d/group_audit b/selftest/knownfail.d/group_audit
deleted file mode 100644
index 4f5855fea01..00000000000
--- a/selftest/knownfail.d/group_audit
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba4.dsdb.samdb.ldb_modules.group_audit.test_log_group_membership_changes_read_new_failure\(none\)
-^samba4.dsdb.samdb.ldb_modules.group_audit.test_log_group_membership_changes_error\(none\)
diff --git a/source4/dsdb/samdb/ldb_modules/group_audit.c b/source4/dsdb/samdb/ldb_modules/group_audit.c
index 4356046f675..dd991bfbb07 100644
--- a/source4/dsdb/samdb/ldb_modules/group_audit.c
+++ b/source4/dsdb/samdb/ldb_modules/group_audit.c
@@ -1012,14 +1012,33 @@ static void log_group_membership_changes(
 			new_val = ldb_msg_find_element(res->msgs[0], "member");
 			group_type = ldb_msg_find_attr_as_uint(
 			    res->msgs[0], "groupType", 0);
+			log_membership_changes(acc->module,
+					       acc->request,
+					       new_val,
+					       acc->members,
+					       group_type,
+					       status);
+			TALLOC_FREE(ctx);
+			return;
 		}
 	}
-	log_membership_changes(acc->module,
-			       acc->request,
-			       new_val,
-			       acc->members,
-			       group_type,
-			       status);
+	/*
+	 * If we get here either
+	 *   one of the lower level modules failed and the group record did
+	 *   not get updated
+	 * or
+	 *   the updated group record could not be read.
+	 *
+	 * In both cases it does not make sense to log individual membership
+	 * changes so we log a group membership change "Failure" message.
+	 *
+	 */
+	log_membership_change(acc->module,
+	                      acc->request,
+			      "Failure",
+			      "",
+			      EVT_ID_NONE,
+			      status);
 	TALLOC_FREE(ctx);
 }