Windows Log Monitoring

Windows Log Monitoring
Best Practices for Security and Compliance
Table of Contents
Introduction ................................................................................................................................................... 3
Overview ....................................................................................................................................................... 4
Major Security Events and Policy Changes .................................................................................................. 6
Major Security Events and Policy Changes Active Directory and Member Server................................ 6
Active Directory and Member Server Compliance Events of Interest ........................................................... 8
Active Directory General Object Changes ................................................................................................ 8
Active Directory and Local Server Group Member Additions ................................................................... 9
Active Directory and Local Server Group Member Deletions ................................................................. 11
Active Directory and Local Users New or Enabled ................................................................................. 12
Active Directory and Local Users Deleted or Disabled ........................................................................... 13
Active Directory Group Policy Change .................................................................................................... 13
Active Directory Permission Changes ..................................................................................................... 15
Active Directory and Local User Account Lockouts and Password Resets ............................................ 16
Active Directory and Local Server Other Users, Groups and Computers Changes ............................ 17
Authentication and Logons Compliance Events of Interest ........................................................................ 19
Domain Account Authentication .............................................................................................................. 19
Domain Account Authentication Failure Analysis ................................................................................... 20
User Logons by Server Type .................................................................................................................. 21
Introduction
This document, and the accompanying document, SecureWorks Audit Policy Configuration, is designed
to provide you with greater insight into the Windows logs that need to be collected for security, as well as
compliance purposes and how to properly configure your Windows system to log this information. This
document is the result of extensive research into the generally accepted best practices for Windows log
monitoring performed in conjunction with SecureWorks team of Audit Experts and recognized Windows
expert Randy Smith, founder of the Monterey Technology Group and author of Ultimate Windows
Security.
The information contained throughout this document will provide you with event IDs and information
necessary for optimum Windows security and compliance. In addition to this document, SecureWorks has
also tuned our filters to capture the information outlined in this document and has created a suite of
reports for you to use to easily view your Windows events. Reports designated as daily should be
scheduled by your organization to be run daily for your Windows servers and be reviewed by a member
of your team. Reports designated as ad-hoc should be run or scheduled to be run by your organization for
periodic review by your team. The Portal also allows you to store the report and digitally sign it for audit
purposes. Each event grouping below is mapped to one of the following SecureWorks reports, which can
be accessed, ran and scheduled via the Monitoring section of the Report tab in the SecureWorks Client
Portal:
Major Security Events and Policy Changes Daily
Active Directory and Member Server Compliance Events Daily
Active Directory and Member Server Compliance Events Ad Hoc
Authentication and Logons Compliance Events of Interest Ad Hoc
Overview
Windows Event Group
Major Security Events
and Policy Changes
Active Directory and
Member Server
SecureWorks
Report Name
Frequency
of Review
517, 520, 601, 608, 609, 610,

Major Security
611, 612, 617, 620, 621, 622, Events and Policy
643
Changes Daily
Daily
565, 566
Active Directory
and Member
Server Compliance
Events - Daily
Daily
632,636,650,655,660,665
Active Directory
and Member
Server Compliance
Events - Daily
Daily

Local Server Group
Member Deletions
633,637,651,656,661,666
Active Directory
and Member
Server Compliance
Events - Daily
Daily

Local Users New or
Enabled
624,642,626
Active Directory
and Member
Server Compliance
Events - Daily
Daily
629,630,642
Active Directory
and Member
Server Compliance
Events - Daily
Daily
565,566
Active Directory
and Member
Server Compliance
Events - Daily
Daily
565,566,560
Active Directory
and Member
Server Compliance
Events - Daily
Daily
642, 644, 671, 627,628
Active Directory
and Member
Server Compliance
Events of Interest
Ad Hoc
Ad Hoc
642, 685, 635, 631, 658, 648,

653, 663, 641, 639, 659, 649,
654, 664, 638, 634, 662, 652,
657, 667, 668, 645,646, 647
Active Directory
and Member
Server
Compliance
Events Ad
Hoc
Ad Hoc
672
Authentication
and Logons
Compliance
Events of
Interest Ad
Hoc
Ad Hoc

Local Server General
Object Changes
Local Server Group
Member Additions

Local Users Deleted or
Disabled
Active Directory Group

Policy Change

Local Server Permission
Changes
Local User Account
Lockouts and Password
Resets
Local Server Other
Users, Groups and
Computers Changes
Domain Account
Authentication
Event Codes
Windows Log Group
Domain Account
Authentication Failure
Analysis
User Failed Logons by

Server Type
Event Codes
SecureWorks
Report Name
Frequency
of Review
672, 675, 676, 681
Authentication
and Logons
Compliance
Events of
Interest Ad
Hoc
Ad Hoc
529, 530, 531, 532, 533, 534,

535, 536, 537,539
Authentication
and Logons
Compliance
Events of
Interest Ad
Hoc
Ad Hoc
Major Security Events and Policy Changes
Major Security Events and Policy Changes Active Directory and

Member Server
Audit Policy Requirements
Category: Account Management, System Events, Privilege Use, Policy Change
Type: Success
Role: Member Servers and Domain Controllers
SecureWorks Report:
o Pre-Built Report Section: Monitoring
o Report Name: Major Security Events and Policy Changes Daily
Log Information to Aggregate

Computer
Computer
Event\Chan
ge
Eve
nt ID
Event\Change
Performed
By:
Performed
By
517
Security log cleared
Client
User
Name:\Cli
ent User
Domain:
520
System time changed
Client
User
Name:\Cli
ent User
Domain:
Previous Time:7:09:19 PM 8/5/2004

New Time:7:10:18 PM 8/5/2004
601
Attempt to install service
By:
Name: SNMPTRAP
User
Name: \
Domain:
Success/Failure
608
User Right Assigned

User Right: SeUndockPrivilege
Assigned To: Domain\User
Assigned
By:
User
Name: \
Domain:
609
User Right Removed

User Right: SeUndockPrivilege
Removed From: Domain\User
Assigned
By:
User
Name: \
Domain:
610
New Trusted Domain

Domain:
Establishe
d By:
User

Trust Type:
Name: \
Domain:
Translation guidance:
Field
Value
Display
directio
ns
1 - Trusted (the domain where this

event was logged accepts the identity
of users of the new domain)
2 - Trusting ( (the new domain accepts

the identity of users of the domain
where this event was logged)
3 - 2-way (mutual trust)
type
See:
http://msdn.microsoft.com/library/default.asp?url=/libra
ry/en-us/wmisdk/wmi/microsoft_domaintruststatus.asp
And: http://msdn2.microsoft.com/enus/library/system.directoryservices.activedirectory.trus
ttype.aspx
611
Trusted Domain Removed

Domain:
Establishe
d By:
User
Name: \
Domain:
620
Trusted Domain Information Modified

Domain:
Modified
By:
User
Name: \
Domain:
612
Audit Policy Changed
n/a
Server:Name\Domain
New Policy:
SuccessFailure
+ +Logon/Logoff
+ +Object Access
+ +Privilege Use
- -Account Management
+ +Policy Change
+ +System
- -Detailed Tracking
+ +Directory Service Access
+ +Account Logon
617
Kerberos Policy Changed
n/a

Domain:
Change:
--' means no changes, otherwise each change is shown as:
<ParameterName>: <new value> (<old value>))
KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT:
0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none);
KerProxy: 0xb2d05e00 (none); KerLogoff: 0x9ef7800000000
(none);
621
System Security Access Granted
n/a
Account: Domain\User
Access: SeRemoteInteractiveLogonRight
622
System Security Access Removed
n/a
Account: Domain\User
Access: SeRemoteInteractiveLogonRight
643
Domain Policy Changed

Domain:
Changed
By:
User
Name: \
Domain:
Interpretation
Entries in this group indicate major changes to the security configuration of the indicated server or a high
security event such as the security log being cleared.
Recommended Usage and Response

The Major Security Events and Policy Changes Daily report should be generated for each server
administrator filtered on the servers under his/her care. Run daily for evidence of intrusions,
misconfigurations or unauthorized changes and review with signoff via digital signature through the portal,
email acknowledgement or physical signature. Signed reports should be archived. Verify that all entries
correspond to legitimate actions by authorized administrators.
Documentation
This group contains Event IDs: 517, 520, 601, 608, 609, 610, 611, 612, 617, 620, 621, 622 and 643.
Active Directory and Member Server Compliance Events of

Interest
Active Directory General Object Changes

Category: Directory Service
Type: Success
Role: Domain Controllers (only DCs report 566 or 565)
SecureWorks Report:
o Report Name: Active Directory and Member Server Compliance Events - Daily

Type
Operation
Object Type:
o
domainDNS = Domain
organizationalUnit = OU
groupPolicyContainer = GPO
Object Type
If present in description
Column contents
Any
WRITE_DAC
Changed permissions
Delete Tree
Deleted along with all

child objects
DELETE
Deleted
Write Property and gPList
GPO options or links

modified
Write Property and

gPOptions
GPO options or links

modified
Write Property and version
modified
organizationalUnit,
domainDNS or site
groupPolicyContainer
Changed by
[Caller Domain:]\[Caller User Name:]
Interpretation
This group documents changes made to AD objects.
Event Codes of Interest

565 and 566.
Recommended Report Review and Response

Run the Active Directory and Member Server Compliance Events-Daily report daily and as needed for
ad hoc research/analysis. Reports should be reviewed with signoff via digital signature through the portal,
email acknowledgement or physical signature. Signed reports should be archived.
Active Directory and Local Server Group Member Additions

Category: Account Management
Type: Success
Role: Domain Controllers
SecureWorks Report:

Group domain
Target Domain
Group name
Target Account Name
Type
Security if Security Enabled in description or if event ID: 636, 632,

660
Distribution if Security Disabled in description or if event ID: 650,
655, 665
New Member
Member Name:
Added by
Caller Domain:\Caller User Name:
Interpretation
If groups Type is security, the New Member now has access to any objects where Group is granted
permissions and will receive email sent to Group. If Groups Type is distribution the New Member will
receive email sent to Group.
These logs document new members added to security and distribution groups in Active Directory and
Local Servers. AD and Local Server groups are increasingly being used as the basis for controlling
access to privileged information and transactions in databases and applications so AD and Local groups
and user activity is usually significant even in the unlikely scenario that no significant information is stored
on Windows file servers. Distribution groups are important to monitor since they are often used to deliver
confidential email.

The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and
signoff via digital signature through the portal, email acknowledgement or physical signature. Signed
reports should be archived. Check for inappropriate or unauthorized group membership changes.
Documentation
There are 3 scopes of member groups. A groups scope limits where the group can be granted access
and who the group can have as members. These events are collected from domain controllers.
Scope
Explanation
Event ID
Security
Distribution
Domain Local
As a Domain Local group, Group is limited to objects in

the local domain. Membership in Group cannot result in
access to objects in other domains.
636
650
Global
As a Global group, Group may have access to objects in

local domain and any other trusting domain inside or
outside the forest. Membership in Group may result in
632
655
Universal
As a Universal group, Group may have access to

objects in local domain and any other trusting domain
inside or outside the forest. Membership in Group may
result in access to objects in other domains.
660
665

Active Directory and Local Server Group Member Deletions
Type: Success
SecureWorks Report:

Group domain
Target Domain
Group name
Target Account Name
Type
Security event ID: 637, 633, 661

Distribution event ID: 651, 656, 666
Scope
Domain Local, Global and Universal
Member
Member Name:
Deleted by
Interpretation
If groups Type is security, the Member no longer has access to any objects where Group is granted
permissions and will no longer receive email sent to Group. If Groups Type is distribution the New
Member will no longer receive email sent to Group.
These logs document members removed from security and distribution groups in Active Directory and
Local Servers. AD groups are increasingly being used as the basis for controlling access to privileged
information and transactions in databases and applications so AD and Local server groups and user
activity is usually significant even in the unlikely scenario that no significant information is stored on
Windows file servers. Distribution groups are important to monitor since they are often used to email
confidential email.

reports should be archived. Provides documentation that group membership was revoked in connection
with job changes, etc.
Documentation
There are 3 scopes of groups. A groups scope limits where the group can be granted access and who
the group can have as members. These events are collected from domain controllers.
Scope
Explanation
Event ID
Security
Distribution
Domain Local
As a Domain Local group, Group is limited to objects in

the local domain. Membership in Group cannot result in
637
651
Global
As a Global group, Group may have access to objects in

local domain and any other trusting domain inside or
outside the forest. Membership in Group may result in
633
656

Universal
As a Universal group, Group may have access to

objects in local domain and any other trusting domain
inside or outside the forest. Membership in Group may
result in access to objects in other domains.
661
666
Active Directory and Local Users New or Enabled

Type: Success
SecureWorks Report:

Operation
Criteria
event ID 624
event ID 642
event ID 626
User
Account
Performed
by
Operation
User Account
New
New Account Domain:\New Account Name:
Enabled
Target Domain\Target Account Name:
Interpretation
This event group documents new AD and Local Member Server user accounts or users previously
disabled that are now enabled.

reports should be archived.
Verify new user accounts correspond to new hires and check for accounts of terminated employees that
have been mistakenly enabled. Enabled user accounts except in connection with return from sabbatical
should be fairly infrequent; investigate.
Documentation
This group is based on event ID 626 and 624 in Windows 2003; 642 and 624 in Windows 2000.
Active Directory and Local Users Deleted or Disabled

Type: Success
SecureWorks Report:

Operation
Criteria
Operation
event ID 630
Deleted
642 where Account Disabled within description
Disabled
629
User Account
Target Account Name:\Target Domain:
Performed by
Interpretation
This event group documents AD and Local Member Server user account deletions or accounts previously
enabled that are now disabled.

reports should be archived. This report provides documentation that account access was revoked in
connection with terminations, etc.
Documentation
This group is based on event ID 629 and 630 in Windows 2003; 642 and 630 in Windows 2000.
Active Directory Group Policy Change

Type: Success
SecureWorks Report:

Type
Object Type:
o
domainDNS = Domain
site = Site
Name
Case
Object Name
Operation
Operation
Object Name:
Group Policy links

or options changed
Object Name:
GPO modified
Object Name:
GPO permissions
modified
Object Name:
GPO deleted
Object Name:
GPO created
(Object Type: is organizationalUnit or domainDNS or site)

and (Properties: includes gPList or gPOptions)
and (Accesses: includes Write Property)
Object Type: is groupPolicyContainer

and (Properties: includes version)
and (Accesses: includes Write Property)

and Accesses: includes WRITE_DAC

And (Accesses: includes DELETE)
Object Type: is container

and (Accesses: includes Create Child)
and Properties: includes groupPolicyContainer
Changed by
Interpretation
This event group documents all group policy related changes:
New, Changed and Deleted GPOs
Changes to the Group Policy properties tab of Sites, Domains and Organizational Units


Check for inappropriate or unauthorized group policy changes. Mistaken modifications to group policy
can impact thousands of users and computers. Change control and change audit trail are crucial to
limiting group policy risk. Changes to group policy objects can also adversely reconfigure security
settings or policies opening the organization to intrusion or system abuse.
Documentation
This group is based on event IDs 566 and 565.
Active Directory Permission Changes

Type: Success
SecureWorks Report:

Note
Enable auditing at root of domain for Everyone, All objects,

Success, Change Permissions. This is already the default on
Windows 2000 DCs but not on Windows 2003 DCs.
Domain
Convert DC= components of Object Name: to DNS equivalent.

DC=acme,DC=com becomes acme.com
Type
Object Type:
domainDNS = Domain
otherwise use actual value
Operation
Object Name
Name
Changed by
Interpretation
This group documents changes to permissions on objects in Active Directory. Permission changes are
usually the result of delegating administrative authority. Active Directory does not report the content of
the changes only that the change occurred.

Check for inappropriate delegation of authority. Delegation of control is important in AD in order to follow
least privilege but could result in inappropriate authority being granted if not executed properly. Since

Active Directory does not report the content of the changes only that the change occurred you must
review the ACLs of the affected objects.
Documentation
This group is based on event ID 560, 565 and 566.
Active Directory and Local User Account Lockouts and Password

Resets
Type: Success
SecureWorks Report:
o Report Name: Active Directory and Member Server Compliance Events Ad Hoc

Operation
Operation
OS
Criteria
Locked
2000
event ID 644
2003
Unlocked
Password
Reset
2000
642 where unlocked within description
2003
671
2000
627 where Target different than Caller
2003
628
User Account
Target Account ID:
Performed by

n/a for 644
Interpretation
This group documents AD and Local Member Server account lockouts, subsequent unlocks and
password resets by an administrator or someone delegated that authority.

Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as
needed. Verify password resets correspond to authentic calls to the help desk by user whos forgotten
his password. Verify account unlock and password reset requests are properly authenticated by help
desk.
Having authority to reset passwords allows the holder to impersonate other users. Periodically auditing
password resets provides a deterrent control.
Documentation
This group is based on event ID 642, 644, 671, 627 and 628.
Active Directory and Local Server Other Users, Groups and

Computers Changes
Type: Success
Role: Domain controllers. Recognize DCs where Target Name: does not equal Computer
SecureWorks Report:
o Report Name: Active Directory and Member Server Compliance Events Ad Hoc

Object Type
Operation
Column Definition
Selection Criteria
User
For user
changes its
important to
distinguish
whether 624 is
from a 2000 or
2003 computer.
Since many
642s in 2003 are
redundant
because of other
specific event
IDs. To
determine OS
version:
Windows
2000:
Changed
Attributes
will not be
present in
description
Windows
2003:
Changed
Attributes is
present in
description
General
change
On Windows 2000
642 - First insertion string from
description. Some account changes
generate 642 with first insertion string
empty. In such cases display Not
specified
On Windows 2003
MS removed the first insertion string
and replaced with Changed Attributes.
Display attribute name/value pairs for
which there is a value
For example, for the example event
below you would display:
Password Last Set: 8/1/2006 12:15:10
PM
Some account changes generate 642
where no attributes are listed as
changed. In such cases display Not
specified
Example event:
Event Type: Success Audit
Event Source:
Security
Event Category:
Account
Management
Event ID:
642
Date:
8/1/2006
Time:
12:15:10 PM
User:
S3DGROUP\radmin
Computer:
A4
Description:
User Account Changed:
Target Account Name:
Event ID 642
To determine OS version:
Windows 2000: Changed
Attributes will not be
present in description
Windows 2003: Changed
Attributes is present in
description
First check if 642 matches
criteria for one of the other
operations in this table. If so
its a specific change not a
general change.
Windows logs multiple 642s
sometimes in relation to one
operation from the point of
view of the administrator.
Windows logs multiple 642s
in conjunction with new user
accounts (624).
Windows also logs 642s that
are redundant because of
event IDs that document
specific actions such as
password resets,
enabling/disabling accounts,
etc.

gthomas
Target Domain:
S3DGROUP
Target Account ID:
S3DGROUP\gthomas
Caller User Name:
radmin
Caller Domain:
S3DGROUP
Caller Logon ID:
(0x0,0x34495)
Privileges: Changed Attributes:
Sam Account Name: Display Name:
User Principal Name:
Home Directory:
Home Drive: Script Path:
Profile Path:
User Workstations:
Password Last Set:
8/1/2006 12:15:10 PM
Account Expires: Primary Group ID: AllowedToDelegateTo:
Old UAC Value:
New UAC Value:
User Account Control:
User Parameters: Sid History:
Logon Hours:
-
Group
Renamed
From: [Old Account Name:

[New Account Name:]
] To:
685
Created
Created
635, 631, 658, 648, 653, 663
Changed
Changed
641, 639, 659, 649, 654, 664
Sam Account Name:Sid History:Deleted
Deleted
638, 634, 662, 652, 657, 667
Group Type
Changed
Group Type Changed From:

[Security/Distribution] To:
[Local/Global/Universal]
668
Security if Security Enabled in

description
Distribution if Security Disabled in
description
Computer
Created
Created
645
Changed
See General Change column

definition for User
646

Deleted
Deleted
647
Other Information
Domain
[Target Account Domain:]
Object
[Target Account Domain:]\ [Target Account Name:]
Type:
Use Object Type column in table above
Performed by
[Caller Domain:]\[Caller User Name:]

n/a for Account Locked operations 644
Interpretation
This group documents all other changes to users, groups and computers including new and deleted
objects. Sometimes Windows fails to report exactly what was changed which is reflected by Not
specified.
needed. Provide as needed to IT Audit to demonstrate compliance with account management
procedures.
Documentation
This group is based on event ID 642, 685, 635, 631, 658, 648, 653, 663, 641, 639, 659, 649, 654, 664,
638, 634, 662, 652, 657, 667, 668, 645,646 and 647.
Authentication and Logons Compliance Events of Interest
Domain Account Authentication

Category: Account Logon
Type: Success
SecureWorks Report:
o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc

Authentication Type
Authentication Type: (success)

672 = Kerberos TGT,
Account
Domain:\User Name:
Server
Event 672: Computer.
Interpretation

This group documents all authentications to domain controllers by users. Note that whenever such a user
logs onto their own workstation or member server, this will generate a Network logon to a DC since the
users workstation must access the domain controller under the users credentials to apply Group
Policy\User Configuration.

needed.
Documentation
This group is based on event ID 672.
Domain Account Authentication Failure Analysis

Category: Account Logon
Type: Failure
SecureWorks Report:

Account
Domain:\User Name:
Reason
See http://ultimatewindowssecurity.com/kerberrors.html for Kerberos

errors
See http://ultimatewindowssecurity.com/ntlmerrors.html for NTLM
errors
Domain Controller
Computer name from event header
Workstation
Event 681: Workstation: or Worktation Name:

Event 672, 675,676: Client Address:
Authentication Protocol
Event 681: NTLM

Event 672, 675,676: Kerberos
Interpretation
This group documents all authentication failures to domain controllers by users. Note that whenever such
a user logs onto their own workstation or member server, this will generate a Network logon to a DC since
the users workstation must access the domain controller under the users credentials to apply Group
Policy\User Configuration.

needed.

Documentation
This group is based on event ID 672, 675, 676 and 681.
User Logons by Server Type

Category: Logon/Logoff
Type: Failure
Role: Servers
SecureWorks Report:

Logon Type
Logon Type: %4
See http://ultimatewindowssecurity.com/logontypes.html for
translation
Domain:\User Name
User Name: %1 Domain: %2
Server
Computer.
Process
Logon Process
ID
Logon ID (optional)
Success/Failure
EventType from header

If failure, fill in failure reason based on event ID
Interpretation
This group documents all logons to monitored servers.

needed.
Documentation
This group is based on event ID 529 through 540, excluding 538.

Windows Log Monitoring

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Windows Log Monitoring

Diunggah oleh

Hak Cipta:

Format Tersedia

Windows Log Monitoring

Best Practices for Security and Compliance

Major Security Events and Policy Changes Daily

Active Directory and Member Server Compliance Events Daily

Active Directory and Member Server Compliance Events Ad Hoc

Authentication and Logons Compliance Events of Interest Ad Hoc

517, 520, 601, 608, 609, 610,

Active Directory and

Active Directory and

642, 644, 671, 627,628

642, 685, 635, 631, 658, 648,

Active Directory and

Active Directory and

Active Directory Group

Active Directory and

Windows Log Group

User Failed Logons by

672, 675, 676, 681

529, 530, 531, 532, 533, 534,

Major Security Events and Policy Changes

Major Security Events and Policy Changes Active Directory and

Log Information to Aggregate

Security log cleared

System time changed

Previous Time:7:09:19 PM 8/5/2004

Attempt to install service

User Right Assigned

User Right Removed

New Trusted Domain

1 - Trusted (the domain where this

2 - Trusting ( (the new domain accepts

3 - 2-way (mutual trust)

Trusted Domain Removed

Trusted Domain Information Modified

Audit Policy Changed

Kerberos Policy Changed

System Security Access Granted

System Security Access Removed

Domain Policy Changed

Recommended Usage and Response

Active Directory and Member Server Compliance Events of

Log Information to Aggregate

Deleted along with all

Write Property and gPList

GPO options or links

Write Property and

GPO options or links

Write Property and version

[Caller Domain:]\[Caller User Name:]

Event Codes of Interest

Recommended Report Review and Response

Active Directory and Local Server Group Member Additions

Target Account Name

Security if Security Enabled in description or if event ID: 636, 632,

Caller Domain:\Caller User Name:

Recommended Usage and Response

As a Domain Local group, Group is limited to objects in

As a Global group, Group may have access to objects in

As a Universal group, Group may have access to

Log Information to Aggregate

Target Account Name

Security event ID: 637, 633, 661

Domain Local, Global and Universal