Event ID: 4731

A security-enabled local group was created 

A security-enabled local group was created.

Subject:
    Security ID:        %4
    Account Name:       %5
    Account Domain:     %6
    Logon ID:           %7

New Group:
    Security ID:        %3
    Group Name:         %1
    Group Domain:       %2

Attributes:
    SAM Account Name:   %9
    SID History:        %10

Additional Information:
    Privileges:         %8


This event generates every time a new security-enabled (security) local group was created.

This event generates on domain controllers, member servers, and workstations.

Microsoft Documentation

Event ID - 4731



Name Field Insertion String OS Example
Group Name TargetUserName %1 Any AccountOperators
Group Domain TargetDomainName %2 Any DOMAIN
Security ID TargetSid %3 Any S-1-5-21-3457937927-2839227994-823803824-6605
Security ID SubjectUserSid %4 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %5 Any UserName
Account Domain SubjectDomainName %6 Any DOMAIN
Logon ID SubjectLogonId %7 Any 0x3031e
Privileges PrivilegeList %8 Any View Codes
SAM Account Name SamAccountName %9 Any AccountOperators
SID History SidHistory %10 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Security Group Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success
Audit Category:
Account Management

Audit Subcategory:
Security Group Management
Legacy Events:
635

LEFT/RIGHT arrow keys for navigation

Back to List