Group Deletion

Windows 10Windows 7SecurityGroup Activity

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

Group deletion may signal the cleanup of an attack or someone trying to inconvenience a group of users in a network. It is also good to know what groups are present in a system.

View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4734'} -MaxEvents 1 | Format-List
Check Logging Status
auditpol /get /subcategory:"security group management"
Disable Logging
auditpol /set /subcategory:"security group management" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"security group management" /Success:Enable /Failure:Enable
Language: Powershell
Back to Windows

Group deletion is automatically logged in Windows 10 and can be viewed in the Event Viewer security tab. To view this log, sort or filter by event ID 4734.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4734'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the commandwevtutil qe Security "/q:*[System [(EventID=4734)]]"

Additional References

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor