Group Deletion
Enabled by default
Service: Microsoft Windows Security auditing
Log type: Security
Group deletion may signal the cleanup of an attack or someone trying to inconvenience a group of users in a network. It is also good to know what groups are present in a system.
View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4734'} -MaxEvents 1 | Format-List
Check Logging Status
auditpol /get /subcategory:"security group management"
Disable Logging
auditpol /set /subcategory:"security group management" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"security group management" /Success:Enable /Failure:Enable
Language: Powershell
Back to WindowsGroup deletion is automatically logged in Windows 10 and can be viewed in the Event Viewer security tab. To view this log, sort or filter by event ID 4734.
To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4734'} -MaxEvents 1 | Format-List
To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the commandwevtutil qe Security "/q:*[System [(EventID=4734)]]"