Audit Security Group Management

  • [アーティクル]

Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.

Event volume: Low.

This subcategory allows you to audit events generated by changes to security groups such as the following:

  • Security group is created, changed, or deleted.

  • Member is added or removed from a security group.

  • Group type is changed.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes No Yes No We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server Yes No Yes No We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Workstation Yes No Yes No We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.

Events List:

  • 4731(S): A security-enabled local group was created.

  • 4732(S): A member was added to a security-enabled local group.

  • 4733(S): A member was removed from a security-enabled local group.

  • 4734(S): A security-enabled local group was deleted.

  • 4735(S): A security-enabled local group was changed.

  • 4764(S): A group’s type was changed.

  • 4799(S): A security-enabled local group membership was enumerated.

  • 4727(S): A security-enabled global group was created. See event 4731: A security-enabled local group was created. Event 4727 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

    Important

    Event 4727(S) generates only for domain groups, so the Local sections in event 4731 do not apply.

  • 4737(S): A security-enabled global group was changed. See event 4735: A security-enabled local group was changed. Event 4737 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

    Important

    Event 4737(S) generates only for domain groups, so the Local sections in event 4735 do not apply.

  • 4728(S): A member was added to a security-enabled global group. See event 4732: A member was added to a security-enabled local group. Event 4728 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

    Important

    Event 4728(S) generates only for domain groups, so the Local sections in event 4732 do not apply.

  • 4729(S): A member was removed from a security-enabled global group. See event 4733: A member was removed from a security-enabled local group. Event 4729 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

    Important

    Event 4729(S) generates only for domain groups, so the Local sections in event 4733 do not apply.

  • 4730(S): A security-enabled global group was deleted. See event 4734: A security-enabled local group was deleted. Event 4730 is the same, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

    Important

    Event 4730(S) generates only for domain groups, so the Local sections in event 4734 do not apply.

  • 4754(S): A security-enabled universal group was created. See event 4731: A security-enabled local group was created. Event 4754 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

    Important

    Event 4754(S) generates only for domain groups, so the Local sections in event 4731 do not apply.

  • 4755(S): A security-enabled universal group was changed. See event 4735: A security-enabled local group was changed. Event 4755 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

    Important

    Event 4755(S) generates only for domain groups, so the Local sections in event 4735 do not apply.

  • 4756(S): A member was added to a security-enabled universal group. See event 4732: A member was added to a security-enabled local group. Event 4756 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

    Important

    Event 4756(S) generates only for domain groups, so the Local sections in event 4732 do not apply.

  • 4757(S): A member was removed from a security-enabled universal group. See event 4733: A member was removed from a security-enabled local group. Event 4757 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

    Important

    Event 4757(S) generates only for domain groups, so the Local sections in event 4733 do not apply.

  • 4758(S): A security-enabled universal group was deleted. See event 4734: A security-enabled local group was deleted. Event 4758 is the same, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

    Important

    Event 4758(S) generates only for domain groups, so the Local sections in event 4734 do not apply.