Audit Security Group Management

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system generates audit events when any of the following security group management tasks are performed:

  • A security group is created, changed, or deleted.

  • A member is added to or removed from a security group.

  • A group's type is changed.

Security groups can be used for access control permissions and also as distribution lists.

Event volume: Low

Default: Success

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID Event message

4727

A security-enabled global group was created.

4728

A member was added to a security-enabled global group.

4729

A member was removed from a security-enabled global group.

4730

A security-enabled global group was deleted.

4731

A security-enabled local group was created.

4732

A member was added to a security-enabled local group.

4733

A member was removed from a security-enabled local group.

4734

A security-enabled local group was deleted.

4735

A security-enabled local group was changed.

4737

A security-enabled global group was changed.

4754

A security-enabled universal group was created.

4755

A security-enabled universal group was changed.

4756

A member was added to a security-enabled universal group.

4757

A member was removed from a security-enabled universal group.

4758

A security-enabled universal group was deleted.

4764

A group's type was changed.