Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 635 - Security Enabled Local Group Created [Win 2003]
EventID 635 - Security Enabled Local Group Created [Win 2003]
Indicates that security local group was successfully created by "caller" user.

Note:  
There is no Failure Audit form of this audit event record.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:
Windows 2000 / XP
Windows 2008
 Sample:
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Account Management
        Event ID:       635
        Date:           10/26/2009
        Time:           07:31:56
        User:           RESEARCH\ALebovsky
        Computer:       DC1
        Description:
        Security Enabled Local Group Created:
        New Account Name:	Setup Operators
        New Domain:	RESEARCH
        New Account ID:	%{S-1-5-21-184992632-1607737289-1287950321-1179}
        Caller User Name:	Alebovsky
        Caller Domain:	RESEARCH
        Caller Logon ID:	(0x0,0x59DF36)
        Privileges:	-
        Attributes:
        Sam Account Name:	Setup Operators
        Sid History:	-
      
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Account Management
Source Security
EventId 635
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Caller User Name Account initiating action InsertionString4 Alebovsky
Caller Domain Domain of the account initiating action InsertionString5 RESEARCH
Caller Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString6 (0x0,0x59DF36)
New Account Name Name of the newly created group account InsertionString1 Setup Operators
New Domain Domain name of the newly created account InsertionString2 RESEARCH
New Account ID Name of the newly created account in the following format: New Domain\New Account Name InsertionString3 %{S-1-5-21-184992632-1607737289-1287950321-1179}
Privileges Contains the list of privileges. The purpose of this field is unknown. In most cases it is empty. InsertionString7 -
Sam Account Name The logon name used to support clients and servers running older versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. InsertionString8 Group 1
Sid History Contains previous SIDs used for the object if the object was moved from another domain. InsertionString9 -
Comments
You must be logged in to comment