deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/device-security/auditing/audit-security-group-management.md
Nicholas Brower 1ae3f0b230 Merged PR 4822: "msdate update (generated from most recent commit date)" 
"msdate update (generated from most recent commit date)"
2017-12-05 22:36:05 +00:00

8.9 KiB
Raw Blame History

title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author, ms.date
title description ms.assetid ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author ms.date
Audit Security Group Management (Windows 10) This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed. ac2ee101-557b-4c84-b9fa-4fb23331f1aa security w10 deploy library Mir0sh 04/19/2017

Audit Security Group Management

Applies to

  • Windows 10
  • Windows Server 2016

Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.

Event volume: Low.

This subcategory allows you to audit events generated by changes to security groups such as the following:

  • Security group is created, changed, or deleted.

  • Member is added or removed from a security group.

  • Group type is changed.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes No Yes No We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server Yes No Yes No We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Workstation Yes No Yes No We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.

Events List:

  • 4731(S): A security-enabled local group was created.

  • 4732(S): A member was added to a security-enabled local group.

  • 4733(S): A member was removed from a security-enabled local group.

  • 4734(S): A security-enabled local group was deleted.

  • 4735(S): A security-enabled local group was changed.

  • 4764(S): A groups type was changed.

  • 4799(S): A security-enabled local group membership was enumerated.

4727(S): A security-enabled global group was created. See event “4731: A security-enabled local group was created.” Event 4727 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Important: this event generates only for domain groups, so the Local sections in event 4731 do not apply.

4737(S): A security-enabled global group was changed. See event “4735: A security-enabled local group was changed.” Event 4737 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Important: this event generates only for domain groups, so the Local sections in event 4735 do not apply.

4728(S): A member was added to a security-enabled global group. See event “4732: A member was added to a security-enabled local group.” Event 4728 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Important: this event generates only for domain groups, so the Local sections in event 4732 do not apply.

4729(S): A member was removed from a security-enabled global group. See event “4733: A member was removed from a security-enabled local group.” Event 4729 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Important: this event generates only for domain groups, so the Local sections in event 4733 do not apply.

4730(S): A security-enabled global group was deleted. See event “4734: A security-enabled local group was deleted.” Event 4730 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Important: this event generates only for domain groups, so the Local sections in event 4734 do not apply.

4754(S): A security-enabled universal group was created. See event “4731: A security-enabled local group was created.”. Event 4754 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Important: this event generates only for domain groups, so the Local sections in event 4731 do not apply.

4755(S): A security-enabled universal group was changed. See event “4735: A security-enabled local group was changed.”. Event 4737 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Important: this event generates only for domain groups, so the Local sections in event 4735 do not apply.

4756(S): A member was added to a security-enabled universal group. See event “4732: A member was added to a security-enabled local group.”. Event 4756 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Important: this event generates only for domain groups, so the Local sections in event 4732 do not apply.

4757(S): A member was removed from a security-enabled universal group. See event “4733: A member was removed from a security-enabled local group.”. Event 4757 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Important: this event generates only for domain groups, so the Local sections in event 4733 do not apply.

4758(S): A security-enabled universal group was deleted. See event “4734: A security-enabled local group was deleted.”. Event 4758 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Important: this event generates only for domain groups, so the Local sections in event 4734 do not apply.