4755

A security-enabled universal group was changed

Properties of an AD Universal Security Group (`GroupType`, `SAM Account Name`) were altered.

Event ID 4755 logs when attributes of an Active Directory universal group are modified. Inspecting attribute modifications detects attempts to covertly convert distribution groups into security groups or rename forest-wide access groups.

Failure Reason / Root Cause:

Modification of AD universal security group attributes (`TargetUserName`).

CategoryAccount Management
Audit typeSuccess Audit
SeverityMedium
Applies toWindows Server 2016, 2019, 2022 / Windows 10, 11
Keywords4755, universal group changed, forest group modification
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4755</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-07-17T09:54:44.902Z" />
    <EventRecordID>1048576</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="1024" />
    <Channel>Security</Channel>
    <Computer>DC01.enterprise.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <!-- Event telemetry fields specific to A security-enabled universal group was changed -->
  </EventData>
</Event>

MITRE ATT&CK mapping

IDTechniqueTactic
T1098Account Manipulation: Domain GroupsPersistence

Recommended actions

Related events