ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Server Active Directory management console showing group administration and security event logs
Event ID 4730InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4730 – Microsoft-Windows-Security-Auditing: Security-Enabled Universal Group Deleted

Event ID 4730 logs when a security-enabled universal group is deleted from Active Directory. This audit event tracks group management changes for security compliance and forensic analysis.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4730Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4730 represents a critical security audit event that occurs when administrators or authorized users delete security-enabled universal groups from Active Directory. Universal groups serve as a fundamental component of Active Directory's group management strategy, allowing organizations to assign permissions and group memberships across domain boundaries within a forest.

When a universal group deletion occurs, Windows generates this event on the domain controller that processed the deletion request. The event contains comprehensive information including the target group's name, SID, domain, and the security context of the account that initiated the deletion. This information proves invaluable for security teams conducting forensic analysis or compliance audits.

The event structure includes several key fields: Subject Security ID identifies who performed the action, Target Account details specify which group was deleted, and Additional Information provides context about the deletion operation. The event also captures the logon session ID, allowing administrators to correlate the deletion with other activities performed during the same session.

Organizations with strict change management policies often monitor this event to ensure group deletions follow proper approval processes. The event helps detect unauthorized administrative actions, accidental deletions, or malicious activities targeting critical security groups. Security information and event management (SIEM) systems frequently include rules to alert on unexpected universal group deletions, especially for groups with elevated privileges.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • Administrator manually deletes a security-enabled universal group through Active Directory Users and Computers
  • PowerShell script or command removes universal group using Remove-ADGroup cmdlet
  • Automated group lifecycle management system removes expired or unused universal groups
  • Third-party Active Directory management tool deletes universal group
  • Group deletion occurs during domain migration or cleanup operations
  • Malicious insider or compromised account removes security groups to escalate privileges
  • Accidental deletion during bulk group management operations
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand what group was deleted and by whom.

  1. Open Event Viewer on the domain controller where the event occurred
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4730 using the filter option
  4. Double-click the event to view full details
  5. Note the Subject Security ID and Account Name fields to identify who performed the deletion
  6. Record the Target Account Name and Target Domain to identify the deleted group
  7. Check the Logon ID to correlate with other events from the same session

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4730} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Pro tip: Cross-reference the Logon ID with Event ID 4624 (successful logon) to understand the complete session context.
02

Investigate Group Membership Before Deletion

Determine what the deleted group contained and its permission assignments to assess impact.

  1. Check if the group had any remaining members before deletion by reviewing recent Event ID 4729 (member removed from group) events
  2. Search for Event ID 4728 entries to see historical group membership additions
  3. Use PowerShell to search for related group events:
# Search for all group-related events for the deleted group
$GroupName = "DeletedGroupName"
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4728,4729,4730} | Where-Object {$_.Message -like "*$GroupName*"} | Sort-Object TimeCreated
  1. Check Active Directory Recycle Bin if enabled to view the group's attributes before deletion:
Get-ADObject -Filter {Name -eq "DeletedGroupName"} -IncludeDeletedObjects -Properties *
  1. Review file system and application logs for access denied errors that might indicate permission issues caused by the group deletion
Warning: Universal group deletions can immediately impact permissions across the entire forest. Check for user complaints about access issues.
03

Analyze Administrative Session Context

Investigate the complete administrative session to understand if the deletion was part of legitimate maintenance or potentially malicious activity.

  1. Use the Logon ID from the 4730 event to find the initial logon event:
# Replace LogonID with the actual value from Event 4730
$LogonID = "0x12345678"
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Message -like "*$LogonID*"}
  1. Search for all events during that logon session to see other activities:
# Find all events for the specific logon session
Get-WinEvent -FilterHashtable @{LogName='Security'} | Where-Object {$_.Message -like "*$LogonID*"} | Sort-Object TimeCreated
  1. Check for suspicious patterns such as multiple group deletions, privilege escalation attempts, or unusual logon times
  2. Verify the source IP address and computer name from the logon event match expected administrative workstations
  3. Review Event ID 4634 (account logged off) to determine session duration
  4. Cross-reference with change management tickets or scheduled maintenance windows
Pro tip: Look for Event ID 4672 (special privileges assigned) during the same session to identify if the account used elevated privileges.
04

Implement Preventive Monitoring and Alerting

Set up monitoring to detect future unauthorized group deletions and establish proper change controls.

  1. Create a PowerShell script to monitor for Event ID 4730 and send alerts:
# Monitor for universal group deletions
$Query = @"

  
    
  

"@

Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4730" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    Send-MailMessage -To "security@company.com" -From "dc-monitor@company.com" -Subject "Universal Group Deleted" -Body "Group deletion detected: $($Event.Message)" -SmtpServer "mail.company.com"
}
  1. Configure Windows Event Forwarding to centralize security events from all domain controllers
  2. Set up SIEM rules to correlate group deletions with other suspicious activities
  3. Implement Group Policy to restrict group management permissions to specific administrative accounts
  4. Enable Active Directory Recycle Bin for group recovery capabilities:
Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target (Get-ADForest).Name
  1. Create a scheduled task to regularly audit group memberships and detect unauthorized changes
05

Forensic Analysis and Recovery Procedures

Perform comprehensive forensic analysis and implement recovery procedures for critical group deletions.

  1. Export all related security events for forensic analysis:
# Export security events related to the incident
$StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$StartTime; EndTime=$EndTime; ID=4728,4729,4730,4731,4732,4733} | Export-Csv -Path "C:\Forensics\GroupEvents.csv" -NoTypeInformation
  1. Analyze domain controller replication logs to determine if the deletion replicated to all DCs:
# Check replication status
repadmin /showrepl /csv | ConvertFrom-Csv | Where-Object {$_.'Source DSA' -ne $null}
  1. If Active Directory Recycle Bin is enabled, restore the deleted group:
# Restore deleted universal group
Get-ADObject -Filter {Name -eq "DeletedGroupName"} -IncludeDeletedObjects | Restore-ADObject
  1. If Recycle Bin is not available, restore from authoritative backup using ntdsutil or Windows Server Backup
  2. Document the incident timeline, affected systems, and recovery actions taken
  3. Review and update group management procedures to prevent similar incidents
  4. Consider implementing additional controls such as approval workflows for group deletions
Warning: Authoritative restores can impact Active Directory replication. Plan carefully and test in a lab environment first.

Overview

Event ID 4730 fires whenever a security-enabled universal group gets deleted from Active Directory. This audit event appears in the Security log on domain controllers and provides detailed information about who deleted the group, when it happened, and which group was removed. Universal groups in Active Directory can contain users, computers, and other groups from any domain in the forest, making their deletion a significant security event that requires proper tracking.

This event only triggers when audit policy for "Audit Account Management" is enabled on the domain controller. The event captures critical details including the security identifier (SID) of the deleted group, the account that performed the deletion, and the logon session information. Security teams rely on this event for compliance reporting, forensic investigations, and detecting unauthorized group management activities.

Unlike local group deletions, universal group deletions affect forest-wide permissions and can impact users across multiple domains. The event provides essential audit trail information for organizations that must track privileged group changes for regulatory compliance or security monitoring purposes.

Frequently Asked Questions

What is the difference between Event ID 4730 and other group deletion events?+
Event ID 4730 specifically tracks the deletion of security-enabled universal groups. Event ID 4734 covers security-enabled local group deletions, while Event ID 4758 handles security-enabled universal group deletions in some contexts. Universal groups are significant because they can contain members from any domain in the forest and can be assigned permissions in any domain, making their deletion a forest-wide security event rather than a domain-specific one.
Why am I not seeing Event ID 4730 when groups are deleted?+
Event ID 4730 only appears when the 'Audit Account Management' policy is enabled in Group Policy. Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit Security Group Management and ensure it's set to 'Success' or 'Success and Failure'. Additionally, this event only fires for security-enabled universal groups, not distribution groups or other group types.
Can I recover a universal group after seeing Event ID 4730?+
Recovery depends on your Active Directory configuration. If Active Directory Recycle Bin is enabled, you can restore the group using PowerShell: Get-ADObject -Filter {Name -eq 'GroupName'} -IncludeDeletedObjects | Restore-ADObject. If Recycle Bin isn't enabled, you'll need to restore from an authoritative backup using ntdsutil or Windows Server Backup. The group's SID will be preserved during Recycle Bin restoration, maintaining existing permissions.
How can I identify who deleted a universal group from Event ID 4730?+
Event ID 4730 contains detailed information about the deletion. Look for the 'Subject' section in the event details, which includes the Security ID, Account Name, Account Domain, and Logon ID of the person who performed the deletion. You can correlate the Logon ID with Event ID 4624 (successful logon) to get additional context about when and how the person logged in, including source IP address and authentication method.
What should I do if I see unexpected Event ID 4730 entries?+
First, verify the deletion was authorized by checking with your change management system and the account holder identified in the event. Review the complete logon session using the Logon ID to see other activities performed. Check for signs of compromise such as unusual logon times, unexpected source locations, or multiple group deletions. If the deletion appears unauthorized, immediately investigate the account for compromise, review group memberships that may have been affected, and consider restoring the group from Active Directory Recycle Bin or backup if necessary.
Documentation

References (2)

1
Microsoft Learn - Audit Account ManagementOfficial documentation covering audit policies for account management events including group deletionshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-account-management
2
Active Directory Recycle Bin OverviewMicrosoft documentation on Active Directory Recycle Bin functionality and recovery procedureshttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4730#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...