8.7 KiB
title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author, ms.date
| title | description | ms.assetid | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | author | ms.date |
|---|---|---|---|---|---|---|---|---|
| Audit Distribution Group Management (Windows 10) | This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks. | d46693a4-5887-4a58-85db-2f6cba224a66 | security | w10 | deploy | library | Mir0sh | 04/19/2017 |
Audit Distribution Group Management
Applies to
- Windows 10
- Windows Server 2016
Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
This subcategory generates events only on domain controllers.
Event volume: Low on domain controllers.
This subcategory allows you to audit events generated by changes to distribution groups such as the following:
-
Distribution group is created, changed, or deleted.
-
Member is added or removed from a distribution group.
If you need to monitor for group type changes, you need to monitor for “4764: A group’s type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | IF | No | IF | No | IF - Typically actions related to distribution groups have low security relevance, much more important to monitor Security Group changes. But if you want to monitor for critical distribution groups changes, such as member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing. Typically volume of these events is low on domain controllers. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
Events List:
-
4749(S): A security-disabled global group was created.
-
4750(S): A security-disabled global group was changed.
-
4751(S): A member was added to a security-disabled global group.
-
4752(S): A member was removed from a security-disabled global group.
-
4753(S): A security-disabled global group was deleted.
4759(S): A security-disabled universal group was created. See event “4749: A security-disabled global group was created.” Event 4759 is the same, but it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4760(S): A security-disabled universal group was changed. See event “4750: A security-disabled global group was changed.” Event 4760 is the same, but it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4761(S): A member was added to a security-disabled universal group. See event “4751: A member was added to a security-disabled global group.” Event 4761 is the same, but it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4762(S): A member was removed from a security-disabled universal group. See event “4752: A member was removed from a security-disabled global group.” Event 4762 is the same, but it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4763(S): A security-disabled universal group was deleted. See event “4753: A security-disabled global group was deleted.” Event 4763 is the same, but it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4744(S): A security-disabled local group was created. See event “4749: A security-disabled global group was created.” Event 4744 is the same, but it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4745(S): A security-disabled local group was changed. See event “4750: A security-disabled global group was changed.” Event 4745 is the same, but it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4746(S): A member was added to a security-disabled local group. See event “4751: A member was added to a security-disabled global group.” Event 4746 is the same, but it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4747(S): A member was removed from a security-disabled local group. See event “4752: A member was removed from a security-disabled global group.” Event 4747 is the same, but it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4748(S): A security-disabled local group was deleted. See event “4753: A security-disabled global group was deleted.” Event 4748 is the same, but it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.