Audit Security Group Management
Audit Security Group Management
Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
Event volume: Low.
This subcategory allows you to audit events generated by changes to security groups such as the following:
Security group is created, changed, or deleted.
Member is added or removed from a security group.
Group type is changed.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Events List:
4731(S): A security-enabled local group was created.
4732(S): A member was added to a security-enabled local group.
4733(S): A member was removed from a security-enabled local group.
4734(S): A security-enabled local group was deleted.
4735(S): A security-enabled local group was changed.
4764(S): A group’s type was changed.
4799(S): A security-enabled local group membership was enumerated.
4727(S): A security-enabled global group was created. See event 4731: A security-enabled local group was created. Event 4727 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
[!IMPORTANT] Event 4727(S) generates only for domain groups, so the Local sections in event 4731 do not apply.
4737(S): A security-enabled global group was changed. See event 4735: A security-enabled local group was changed. Event 4737 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
[!IMPORTANT] Event 4737(S) generates only for domain groups, so the Local sections in event 4735 do not apply.
4728(S): A member was added to a security-enabled global group. See event 4732: A member was added to a security-enabled local group. Event 4728 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
[!IMPORTANT] Event 4728(S) generates only for domain groups, so the Local sections in event 4732 do not apply.
4729(S): A member was removed from a security-enabled global group. See event 4733: A member was removed from a security-enabled local group. Event 4729 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
[!IMPORTANT] Event 4729(S) generates only for domain groups, so the Local sections in event 4733 do not apply.
4730(S): A security-enabled global group was deleted. See event 4734: A security-enabled local group was deleted. Event 4730 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
[!IMPORTANT] Event 4730(S) generates only for domain groups, so the Local sections in event 4734 do not apply.
4754(S): A security-enabled universal group was created. See event 4731: A security-enabled local group was created. Event 4754 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
[!IMPORTANT] Event 4754(S) generates only for domain groups, so the Local sections in event 4731 do not apply.
4755(S): A security-enabled universal group was changed. See event 4735: A security-enabled local group was changed. Event 4755 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
[!IMPORTANT] Event 4755(S) generates only for domain groups, so the Local sections in event 4735 do not apply.
4756(S): A member was added to a security-enabled universal group. See event 4732: A member was added to a security-enabled local group. Event 4756 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
[!IMPORTANT] Event 4756(S) generates only for domain groups, so the Local sections in event 4732 do not apply.
4757(S): A member was removed from a security-enabled universal group. See event 4733: A member was removed from a security-enabled local group. Event 4757 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
[!IMPORTANT] Event 4757(S) generates only for domain groups, so the Local sections in event 4733 do not apply.
4758(S): A security-enabled universal group was deleted. See event 4734: A security-enabled local group was deleted. Event 4758 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
[!IMPORTANT] Event 4758(S) generates only for domain groups, so the Local sections in event 4734 do not apply.