Event Details
User Activity->Account Management->Account Changes->Group Account Changes->Windows 2000-2003->EventID 649 - Security Disabled Local Group Changed [Win 2003]
EventID 649 - Security Disabled Local Group Changed [Win 2003]
 Sample: 
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Account Management
        Event ID:       649
        Date:           10/26/2009
        Time:           07:41:24
        User:           RESEARCH\ALebovsky
        Computer:       DC1
        Description:
        Security Disabled Local Group Changed:
        Target Account Name:	Employees_distrib
        Target Domain:	RESEARCH
        Target Account ID:	{S-1-5-21-184992632-1607737289-1287950321-1190}
        Caller User Name:	Alebovsky
        Caller Domain:	RESEARCH
        Caller Logon ID:	(0x0,0x59DF36)
        Privileges:	-
        Changed Attributes:
        Sam Account Name:	-
        Sid History:	-
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Account Management
Source Security
EventId 649
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 1/1/2000
Who Account or user name under which the activity occured. Caller User Name Alebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Group Changed" Group Changed
Where The name of the workstation/server where the activity was logged. Computer 10.10.10.10
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "High" High
WhoDomain Caller Domain RESEARCH
WhereDomain -
Whom Account or user name being managed. Target Account ID {S-1-5-21-184992632-1607737289-1287950321-1190}
Group Type Type of group: security or distribution. "Distribution" Distribution
Group Scope Scope of group: local, global, universal. "Local" Local
Group Name -
Group Domain -
Affected Group -
Comments
You must be logged in to comment