Event Details
User Activity->Account Management->Group Membership Changes->Windows 2008->EventID 4761 - A member was added to a security-disabled universal group.
EventID 4761 - A member was added to a security-disabled universal group.
 Sample: 
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/28/2009 8:31:03 PM
Event ID:      4761
Task Category: Distribution Group Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
Description:   
A member was added to a security-disabled universal group.

Subject:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-500
	Account Name:		ALebovsky
	Account Domain:		LOGISTICS
	Logon ID:		0x2a88a

Member:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-1145
	Account Name:		cn=Paul,ou=Project Managers,dc=Logistics,dc=corp

Group:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-1161
	Group Name:		Employees_univers_distrib
	Group Domain:		LOGISTICS

Additional Information:
	Privileges:		-
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Account Management
Source Microsoft-Windows-Security-Auditing
TaskCategory Distribution Group Management
EventId 4761
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Account Name ALebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Group Member Added" Group Member Added
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain Account Domain LOGISTICS
WhereDomain -
Whom Account or user name being managed. Member: Security ID S-1-5-21-1135140816-2109348461-2107143693-1145
Member Name Account name of added/removed group member Member: Account Name cn=Paul,ou=Project Managers,dc=Logistics,dc=corp
Group Type The type of group: security or distribution. "Distribution" Distribution
Group Scope The scope of group: local, global, universal "Universal" Universal
Group Name Group: Group Name Employees_univers_distrib
Group Domain Group: Group Domain LOGISTICS
Affected group The group affected by changes Group: Security ID S-1-5-21-1135140816-2109348461-2107143693-1161
Comments
You must be logged in to comment