Event Details
User Activity->Account Management->Account Changes->Group Account Changes->Windows 2000-2003->EventID 635 - Security Enabled Local Group Created
EventID 635 - Security Enabled Local Group Created
 Sample: 
Event Type:     SuccessAudit
Event Source:   Security
Event Category: Account Management
Event ID:       635
Date:           10/26/2009 12:00:00 AM
Time:           07:31:56
User:           RESEARCH\ALebovsky
Computer:       DC1
Description:    
Security Enabled Local Group Created:

	New Account Name:	Setup Operators

	New Domain:	RESEARCH

	New Account ID:	{S-1-5-21-184992632-1607737289-1287950321-1179}

	Caller User Name:	Alebovsky

	Caller Domain:	RESEARCH

	Caller Logon ID:	(0x0,0x59DF36)

	Privileges:	-

Attributes:

	Sam Account Name:	Setup Operators

	Sid History:	-
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Account Management
Source Security
EventId 635
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 12/14/2009 6:59:09 AM
Who Account or user name under which the activity occured. Caller User Name Alebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Group Created" Group Created
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "High" High
WhoDomain Caller Domain RESEARCH
WhereDomain -
Whom Account or user name being managed. New Account ID {S-1-5-21-184992632-1607737289-1287950321-1179}
Group Type Type of group: security or distribution. "Security" Security
Group Scope Scope of group: local, global, universal. "Local" Local
Group Name -
Group Domain -
Affected Group -
Comments
You must be logged in to comment