Jaa


Audit Distribution Group Management

Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.

This subcategory generates events only on domain controllers.

Event volume: Low on domain controllers.

This subcategory allows you to audit events generated by changes to distribution groups such as the following:

  • Distribution group is created, changed, or deleted.

  • Member is added or removed from a distribution group.

If you need to monitor for group type changes, you need to monitor for “4764: A group’s type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller IF No IF No IF - Typically, actions related to distribution groups have low security relevance. It is much more important to monitor Security Group changes. However, if you want to monitor for critical distribution groups changes, such as if a member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.
Typically, volume of these events is low on domain controllers.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server No No No No This subcategory generates events only on domain controllers.
Workstation No No No No This subcategory generates events only on domain controllers.

Events List:

  • 4749(S): A security-disabled global group was created.

  • 4750(S): A security-disabled global group was changed.

  • 4751(S): A member was added to a security-disabled global group.

  • 4752(S): A member was removed from a security-disabled global group.

  • 4753(S): A security-disabled global group was deleted.

  • 4759(S): A security-disabled universal group was created. See event 4749: A security-disabled global group was created. Event 4759 is the same, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

  • 4760(S): A security-disabled universal group was changed. See event 4750: A security-disabled global group was changed. Event 4760 is the same, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

  • 4761(S): A member was added to a security-disabled universal group. See event 4751: A member was added to a security-disabled global group. Event 4761 is the same, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

  • 4762(S): A member was removed from a security-disabled universal group. See event 4752: A member was removed from a security-disabled global group. Event 4762 is the same, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

  • 4763(S): A security-disabled universal group was deleted. See event 4753: A security-disabled global group was deleted. Event 4763 is the same, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

  • 4744(S): A security-disabled local group was created. See event 4749: A security-disabled global group was created. Event 4744 is the same, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

  • 4745(S): A security-disabled local group was changed. See event 4750: A security-disabled global group was changed. Event 4745 is the same, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

  • 4746(S): A member was added to a security-disabled local group. See event 4751: A member was added to a security-disabled global group. Event 4746 is the same, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

  • 4747(S): A member was removed from a security-disabled local group. See event 4752: A member was removed from a security-disabled global group. Event 4747 is the same, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

  • 4748(S): A security-disabled local group was deleted. See event 4753: A security-disabled global group was deleted. Event 4748 is the same, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.