Windows Security Log Event ID 4764

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Account Management
 • Security Group Management
Type Success
Corresponding events
in Windows 2003
and before
668  

4764: A groups type was changed

On this page

A group's type or scope was changed by Subject:.

AD has 2 types of groups: Security and Distribution. Distribution (security disabled) groups are for distribution lists in Exchange and cannot be assigned permissions or rights. Security (security enabled) groups can be used for permissions, rights and as distribution lists.

No matter what type the group was before or after the change this event is always logged as subcategory "Security Group Management".

Scope:
AD has 3 scopes of groups: Local, Global, Universal. See knowledge base article 326265.

Subject:

The ID and logon session of the user that changed the policy - always the local system - see note above. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Change Type: type scope Group Changed to type scope Group.

Free Security Log Resources by Randy

Description Fields in 4764

Group: 

  • Security ID:  The SID of the affected group
  • Group Name: Name of affected group
  • Group Domain:  Domain of affected group

Additional Information:

  •  Privileges:  always "-"

 

Supercharger Enterprise


 

Examples of 4764

A group’s type was changed.

Subject:

   Security ID:  ACME\administrator
   Account Name:  administrator
   Account Domain:  ACME
   Logon ID:  0x30999

Change Type:   Security Enabled Global Group Changed to Security Enabled Universal Group.

Group:

   Security ID:  ACME\Dharma Institute Employees
   Group Name:  Dharma Institute Employees
   Group Domain:  ACME

Additional Information:

   Privileges:  -
 

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources