Event ID: 4735A security-enabled local group was changed
A security-enabled local group was changed. Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 Group: Security ID: %3 Group Name: %1 Group Domain: %2 Changed Attributes: SAM Account Name: %9 SID History: %10 Additional Information: Privileges: %8
This event generates every time a security-enabled (security) local group is changed.
This event generates on domain controllers, member servers, and workstations.
Some changes do not invoke a 4735 event, for example, changes made using Active Directory Users and Computers management console in Managed By tab in group account properties.
If you change the name of the group (SAM Account Name), you also get “4781 The name of an account was changed” if “Audit User Account Management” subcategory success auditing is enabled.
If you change the group type, you get a change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group type changes, it is better to monitor for “4764 A group’s type was changed.” These events are generated for any group type when group type is changed. “Audit Security Group Management” subcategory success auditing must be enabled.
From 4735 event you can get information about changes of sAMAccountName and sIDHistory attributes or you will see that something changed, but will not be able to see what exactly changed.
|SAM Account Name||SamAccountName||%9||Any||AccountOperators\_NEW|
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Security Group Management"
LEFT/RIGHT arrow keys for navigationBack to List