Event ID: 4735
A security-enabled local group was changedA security-enabled local group was changed. Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 Group: Security ID: %3 Group Name: %1 Group Domain: %2 Changed Attributes: SAM Account Name: %9 SID History: %10 Additional Information: Privileges: %8
This event generates every time a security-enabled (security) local group is changed.
This event generates on domain controllers, member servers, and workstations.
Some changes do not invoke a 4735 event, for example, changes made using Active Directory Users and Computers management console in Managed By tab in group account properties.
If you change the name of the group (SAM Account Name), you also get “4781 The name of an account was changed” if “Audit User Account Management” subcategory success auditing is enabled.
If you change the group type, you get a change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group type changes, it is better to monitor for “4764 A group’s type was changed.” These events are generated for any group type when group type is changed. “Audit Security Group Management” subcategory success auditing must be enabled.
From 4735 event you can get information about changes of sAMAccountName and sIDHistory attributes or you will see that something changed, but will not be able to see what exactly changed.
Name | Field | Insertion String | OS | Example | ||
---|---|---|---|---|---|---|
Group Name | TargetUserName | %1 | Any | AccountOperators\_NEW | ||
Group Domain | TargetDomainName | %2 | Any | DOMAIN | ||
Security ID | TargetSid | %3 | Any | S-1-5-21-3457937927-2839227994-823803824-6605 | ||
Security ID | SubjectUserSid | %4 | Any | S-1-5-21-3457937927-2839227994-823803824-1104 | ||
Account Name | SubjectUserName | %5 | Any | UserName | ||
Account Domain | SubjectDomainName | %6 | Any | DOMAIN | ||
Logon ID | SubjectLogonId | %7 | Any | 0x3031e | ||
Privileges | PrivilegeList | %8 | Any | View Codes | ||
SAM Account Name | SamAccountName | %9 | Any | AccountOperators\_NEW | ||
SID History | SidHistory | %10 | Any | - |
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Security Group Management"
Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019Tags:
Audit SuccessLEFT/RIGHT arrow keys for navigation
Back to List