ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Active Directory Users and Computers console showing security group management interface with audit logs
Event ID 4727InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4727 – Microsoft-Windows-Security-Auditing: Security-Enabled Global Group Created

Event ID 4727 fires when a security-enabled global group is created in Active Directory. This audit event tracks group creation activities for security monitoring and compliance purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4727Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4727 represents a fundamental security audit event in Windows Active Directory environments. When a security-enabled global group is created, Windows generates this event to maintain a comprehensive audit trail of directory service modifications. The event contains critical forensic information including the subject who performed the action, the target group details, and the specific attributes assigned during creation.

The event structure includes several key fields: the Subject section identifies who created the group (including their account name, domain, logon ID, and SID), while the New Group section provides details about the created group including its name, domain, and newly assigned SID. Additional attributes such as SAM Account Name, SID History, and group type are also recorded for complete audit coverage.

This event is particularly significant in enterprise environments where group-based access control is the primary security model. Security-enabled global groups can be assigned permissions to resources across the forest, making their creation a sensitive operation that requires monitoring. The event helps security teams detect unauthorized administrative activities, track compliance with group creation policies, and investigate potential security incidents involving privilege escalation through group membership manipulation.

Modern security information and event management (SIEM) systems heavily rely on Event ID 4727 for automated threat detection and compliance reporting. The event's structured format makes it ideal for parsing and correlation with other security events to build comprehensive security timelines and detect sophisticated attack patterns.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • Administrator creates a new security-enabled global group through Active Directory Users and Computers console
  • PowerShell cmdlets like New-ADGroup are executed to create global security groups
  • LDAP operations programmatically create new global groups through custom applications or scripts
  • Group creation through Exchange Management Console when creating mail-enabled security groups
  • Automated provisioning systems create groups as part of user onboarding or application deployment processes
  • Migration tools create groups during Active Directory migration or consolidation projects
  • Third-party identity management solutions create groups through directory synchronization
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details directly in Event Viewer to understand the context of the group creation.

  1. Open Event Viewer on the domain controller where the event occurred
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4727 using the filter option or search functionality
  4. Double-click the event to view detailed information including:
    • Subject: Account that created the group
    • New Group: Details of the created group
    • Attributes: Initial group properties and settings
  5. Note the timestamp, source workstation, and logon session details for correlation with other events
  6. Check if the group creation aligns with authorized administrative activities or change management processes
Pro tip: Look for patterns in group creation times and creators to identify potential automated processes or suspicious activities.
02

Query Events Using PowerShell

Use PowerShell to efficiently query and analyze Event ID 4727 across multiple domain controllers for comprehensive monitoring.

  1. Open PowerShell as Administrator on a domain controller or management workstation
  2. Query recent group creation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4727} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4727; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract specific details from event messages:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4727} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        TargetUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        TargetDomainName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetDomainName'} | Select-Object -ExpandProperty '#text'
    }
}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4727} -MaxEvents 100 | Export-Csv -Path "C:\Temp\GroupCreationAudit.csv" -NoTypeInformation
Warning: Large queries across multiple domain controllers can impact performance. Use time filters and limit results appropriately.
03

Verify Group Properties and Permissions

Investigate the created group's current state and permissions to ensure it aligns with security policies and intended use.

  1. Open Active Directory Users and Computers on a domain controller
  2. Enable Advanced Features from the View menu to see all attributes
  3. Locate the group mentioned in the Event ID 4727 entry
  4. Right-click the group and select Properties
  5. Review the General tab for basic group information and description
  6. Check the Members tab to see if any users were immediately added to the group
  7. Examine the Member Of tab to identify parent groups and inherited permissions
  8. Review the Security tab to check explicit permissions assigned to the group
  9. Use PowerShell to get detailed group information:
    Get-ADGroup -Identity "GroupName" -Properties * | Select-Object Name, SamAccountName, GroupScope, GroupCategory, Created, CreatedBy, Description, Members
  10. Check group membership and nested relationships:
    Get-ADGroupMember -Identity "GroupName" -Recursive | Select-Object Name, ObjectClass, SamAccountName
Pro tip: Compare the group's current state with the initial attributes recorded in Event ID 4727 to detect any unauthorized modifications.
04

Correlate with Related Security Events

Analyze related security events to build a complete timeline of activities surrounding the group creation and identify potential security implications.

  1. Search for related events in the same timeframe using PowerShell:
    $GroupCreationTime = (Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4727} -MaxEvents 1).TimeCreated
$StartTime = $GroupCreationTime.AddMinutes(-30)
$EndTime = $GroupCreationTime.AddMinutes(30)

# Look for group membership changes (4728, 4729, 4732, 4733)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728,4729,4732,4733; StartTime=$StartTime; EndTime=$EndTime}
  2. Check for logon events from the same user who created the group:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=$StartTime; EndTime=$EndTime} | Where-Object {$_.Message -like "*SubjectUserName*"}
  3. Look for privilege escalation events (4672) around the same time:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672; StartTime=$StartTime; EndTime=$EndTime}
  4. Search for object access events if the group was immediately used:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4656,4658,4663; StartTime=$StartTime; EndTime=$EndTime}
  5. Create a comprehensive timeline report:
    $Events = @()
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4727,4728,4729,4732,4733,4624,4672; StartTime=$StartTime; EndTime=$EndTime}
$Events | Sort-Object TimeCreated | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='EventType';Expression={switch($_.Id){4727{'Group Created'};4728{'User Added to Group'};4729{'User Removed from Group'};4732{'User Added to Local Group'};4733{'User Removed from Local Group'};4624{'Logon'};4672{'Special Privileges'};default{'Other'}}}}, Message | Export-Csv -Path "C:\Temp\GroupCreationTimeline.csv"
Warning: Correlating events across large time windows can generate significant data. Focus on narrow time ranges around the group creation event.
05

Implement Automated Monitoring and Alerting

Set up automated monitoring to detect and alert on unauthorized or suspicious group creation activities in real-time.

  1. Create a scheduled task to monitor Event ID 4727 using PowerShell:
    # Create monitoring script
$ScriptContent = @'
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4727; StartTime=(Get-Date).AddHours(-1)} -ErrorAction SilentlyContinue
if ($Events) {
    foreach ($Event in $Events) {
        $EventXML = [xml]$Event.ToXml()
        $Creator = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        $GroupName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        
        # Send alert email or log to SIEM
        Write-EventLog -LogName Application -Source "GroupMonitor" -EventId 1001 -Message "New security group created: $GroupName by $Creator at $($Event.TimeCreated)"
    }
}
'@

$ScriptContent | Out-File -FilePath "C:\Scripts\MonitorGroupCreation.ps1"
  2. Register the script as a scheduled task:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\MonitorGroupCreation.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "MonitorGroupCreation" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"
  3. Configure Windows Event Forwarding to centralize Event ID 4727 collection:
    • On collector server, run: wecutil qc
    • Create subscription configuration file for Event ID 4727
    • Deploy WinRM configuration to source domain controllers
  4. Set up custom Event Viewer views for quick access:
    • Open Event ViewerCustom Views
    • Create new custom view filtering for Event ID 4727
    • Save view as "Group Creation Monitoring"
  5. Integrate with SIEM solutions by configuring log forwarding:
    # Example: Forward to Splunk Universal Forwarder
$SplunkConfig = @"
[WinEventLog://Security]
disabled = 0
whitelist = 4727
index = windows_security
"@
$SplunkConfig | Out-File -FilePath "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf" -Append
Pro tip: Combine Event ID 4727 monitoring with business context data to reduce false positives from legitimate administrative activities.

Overview

Event ID 4727 is a security audit event that fires whenever a security-enabled global group is created in Active Directory. This event appears in the Security log on domain controllers and provides detailed information about who created the group, when it was created, and the group's initial properties. The event is part of Windows' comprehensive audit trail for Active Directory object management and is essential for security monitoring, compliance reporting, and forensic investigations.

This event fires immediately after successful group creation through any method - Active Directory Users and Computers, PowerShell cmdlets, LDAP operations, or programmatic interfaces. The event captures the security identifier (SID) of both the creator and the newly created group, along with the group's distinguished name and initial attributes. Domain administrators typically monitor this event to track unauthorized group creation attempts and maintain proper access control governance.

Understanding Event ID 4727 is crucial for security teams managing Active Directory environments, as unauthorized group creation can lead to privilege escalation and security breaches. The event provides the foundation for automated alerting systems and compliance auditing in enterprise environments running Windows Server 2025 and earlier versions.

Frequently Asked Questions

What does Event ID 4727 mean and when does it occur?+
Event ID 4727 indicates that a security-enabled global group has been created in Active Directory. This event fires immediately after successful group creation through any method including Active Directory Users and Computers, PowerShell cmdlets like New-ADGroup, LDAP operations, or programmatic interfaces. The event provides detailed audit information about who created the group, when it was created, and the group's initial properties. It's essential for tracking administrative activities and maintaining security compliance in Active Directory environments.
How can I identify who created a specific group using Event ID 4727?+
Event ID 4727 contains detailed subject information in the event message. You can identify the creator by examining the Subject section which includes the account name, domain, logon ID, and security identifier (SID) of the user who performed the action. Use PowerShell to extract this information: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4727} | ForEach-Object { $Event = [xml]$_.ToXml(); $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} }. The event also includes the source workstation and logon session details for complete audit trail.
Why am I seeing multiple Event ID 4727 entries for automated processes?+
Multiple Event ID 4727 entries from automated processes are common in enterprise environments with identity management systems, provisioning tools, or migration scripts. These systems often create groups programmatically as part of user onboarding, application deployment, or directory synchronization processes. To distinguish legitimate automated activities from suspicious ones, correlate the events with scheduled maintenance windows, check the source accounts (should be service accounts), and verify the timing patterns match expected automation schedules. Consider implementing whitelisting for known service accounts to reduce alert noise.
How do I set up monitoring to detect unauthorized group creation?+
Set up comprehensive monitoring by creating PowerShell scripts that query Event ID 4727 at regular intervals and alert on unexpected group creation activities. Use Get-WinEvent with time-based filters to check for recent events, then correlate with approved change management processes. Implement scheduled tasks to run monitoring scripts hourly, configure Windows Event Forwarding to centralize logs from all domain controllers, and integrate with SIEM solutions for automated alerting. Create custom Event Viewer views and establish baseline patterns of normal group creation to identify anomalies effectively.
What should I investigate if I find suspicious Event ID 4727 entries?+
When investigating suspicious Event ID 4727 entries, first verify the legitimacy of the creating account and check if the action aligns with approved change management processes. Examine the group's current properties, membership, and permissions to assess potential security impact. Correlate with related events like 4728 (user added to group), 4624 (logon events), and 4672 (special privileges assigned) within the same timeframe. Check the source workstation, review recent logon activities of the creating account, and verify if the group has been used to access sensitive resources. Document findings and escalate to security teams if unauthorized administrative activity is confirmed.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4727 and related group management audit events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Active Directory Security Best PracticesMicrosoft's official guidance on securing Active Directory environments and implementing proper audit policies for group management.https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4727#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...