Event Details
User Activity->Account Management->Account Changes->Group Account Changes->Windows 2008->EventID 4744 - A security-disabled local group was created.
EventID 4744 - A security-disabled local group was created.
 Sample: 
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/28/2009 8:31:03 PM
Event ID:      4744
Task Category: Distribution Group Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
Description:  
A security-disabled local group was created.
Subject:
        Security ID:  S-1-5-21-1135140816-2109348461-2107143693-500
        Account Name:  ALebovsky
        Account Domain:  LOGISTICS
        Logon ID:  0x2a88a
New Group:
        Security ID:  S-1-5-21-1135140816-2109348461-2107143693-1157
        Group Name:  Employees_distrib
        Group Domain:  LOGISTICS
Attributes:
        SAM Account Name: Employees_distrib
        SID History:  -
Additional Information:
        Privileges:  -
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Account Management
Source Microsoft-Windows-Security-Auditing
TaskCategory Distribution Group Management
EventId 4744
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Subject: Account Name ALebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Group Created" Group Created
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain Subject: Account Domain LOGISTICS
WhereDomain -
Whom Account or user name being managed. New Group: Security ID S-1-5-21-1135140816-2109348461-2107143693-1157
Group Type Type of group: security or distribution. "Distribution" Distribution
Group Scope Scope of group: local, global, universal. "Local" Local
Group Name New Group: Group Name Employees_distrib
Group Domain New Group: Group Domain LOGISTICS
Affected Group InsertionString3 S-1-5-21-1135140816-2109348461-2107143693-1157
SAM Account Name Attributes: SAM Account Name Employees_distrib
SID History Attributes: SID History -
Comments
You must be logged in to comment