Event Details
User Activity->Account Management->Account Changes->Group Account Changes->Windows 2000-2003->EventID 648 - Security Disabled Local Group Created [Win 2000]
EventID 648 - Security Disabled Local Group Created [Win 2000]
 Sample: 
Event Type:     SuccessAudit
Event Source:   Security
Event Category: Account Management
Event ID:       648
Date:           11/13/2009 12:00:00 AM
Time:           11:36:12
User:           LOGISTICS\ALebovsky
Computer:       DCCC1
Description:    
Security Disabled Local Group Created:

	Target Account Name:	Employees_distrib

	Target Domain:	LOGISTICS

	Target Account ID:	{S-1-5-21-746137067-343818398-839522115-1155}

	Caller User Name:	ALebovsky

	Caller Domain:	LOGISTICS

	Caller Logon ID:	(0x0,0x416355)

	Privileges:	-
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Category Account Management
Source Security
EventId 648
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 12/14/2009 6:59:09 AM
Who Account or user name under which the activity occured. Caller User Name Alebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Group Created" Group Created
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain Caller Domain RESEARCH
WhereDomain -
Whom Account or user name being managed. Target Account ID {S-1-5-21-746137067-343818398-839522115-1155}
Group Type Type of group: security or distribution. "Distribution" Distribution
Group Scope Scope of group: local, global, universal. "Local" Local
Group Name -
Group Domain -
Affected Group -
Comments
You must be logged in to comment