Event ID: 4744

A security-disabled local group was created 

A security-disabled local group was created.

Subject:
    Security ID:    %4
    Account Name:   %5
    Account Domain: %6
    Logon ID:       %7

New Group:
    Security ID:  %3
    Group Name:   %1
    Group Domain: %2

Attributes:
    SAM Account Name: %9
    SID History:      %10

Additional Information:
    Privileges:       %8




Name Field Insertion String OS Example
Group Name TargetUserName %1 Any Distribution Domain local
Group Domain TargetDomainName %2 Any HQCORP
Security ID TargetSid %3 Any S-1-5-21-1913345275-1711810662-261465553-1136
Security ID SubjectUserSid %4 Any S-1-5-21-1913345275-1711810662-261465553-500
Account Name SubjectUserName %5 Any Administrator
Account Domain SubjectDomainName %6 Any HQCORP
Logon ID SubjectLogonId %7 Any 0x1d9153
Privileges PrivilegeList %8 Any -
SAM Account Name SamAccountName %9 Any Distribution Domain local
SID History SidHistory %10 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Distribution Group Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022

Audit Category:
Account Management

Audit Subcategory:
Distribution Group Management
Legacy Events:
648

LEFT/RIGHT arrow keys for navigation

Back to List