4749 A security-disabled global group was created
Written when a security-disabled (distribution) global group is created. Distribution groups carry no access rights, so the security priority is lower, but it remains as a record of a configuration change.
Overview
The subcategory is Audit Distribution Group Management. It is generated when a global distribution group (a group used for things like mail distribution that grants no access rights) is created.
How it is triggered
- Creation of a global distribution group in AD (
New-ADGroup -GroupCategory Distribution, and so on).
Security review points
- Because distribution groups grant no access, their own privilege-escalation risk is small. However, if the group type is later changed and converted to a security group, it can be used to grant privileges (see 4764).
- It is often enough to confirm the creating subject and group name are as expected.
Notes for log review
- It is more often handled as directory configuration change management than as security monitoring.
- Do not confuse security groups (4727, etc.) with distribution groups (4749). Track it together with type change 4764.
Key fields
| Field | Meaning |
|---|---|
New Group\Group Name | The created distribution group |
Subject\Account Name | The subject that performed the creation |
Glossary
- Distribution group — a group that grants no access rights, used mainly as a target for mail distribution and the like.