deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
b5101b1fbd75f538e7af22d78524ea3b5335c587
windows-itpro-docs/windows/security/threat-protection/auditing/audit-security-group-management.md
professorbike 98a76b64a1 Update audit-security-group-management.md 
Fix typo in description of 4755. Previously stated "4737 is the same" instead of 4755.
2023-06-02 14:18:44 -05:00

105 lines
8.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Audit Security Group Management
description: The policy setting, Audit Security Group Management, determines if audit events are generated when specific security group management tasks are performed.
ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
ms.topic: reference
---
# Audit Security Group Management
Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
**Event volume**: Low.
This subcategory allows you to audit events generated by changes to security groups such as the following:
- Security group is created, changed, or deleted.
- Member is added or removed from a security group.
- Group type is changed.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4731](event-4731.md)(S): A security-enabled local group was created.
- [4732](event-4732.md)(S): A member was added to a security-enabled local group.
- [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
- [4734](event-4734.md)(S): A security-enabled local group was deleted.
- [4735](event-4735.md)(S): A security-enabled local group was changed.
- [4764](event-4764.md)(S): A groups type was changed.
- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
- 4727(S): A security-enabled global group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4727(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
- 4737(S): A security-enabled global group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4737(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
- 4728(S): A member was added to a security-enabled global group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4728(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
- 4729(S): A member was removed from a security-enabled global group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4729(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
- 4730(S): A security-enabled global group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4730(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
- 4754(S): A security-enabled universal group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4755 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
- 4756(S): A member was added to a security-enabled universal group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4756(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
- 4757(S): A member was removed from a security-enabled universal group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4757(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
- 4758(S): A security-enabled universal group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
>[!IMPORTANT]
> Event 4758(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
Reference in New Issue View Git Blame Copy Permalink