A member was added to a security-disabled local group (4746) how to monitor with email alert

[bob]

You ever notice how Windows Server logs all these little changes in the Event Viewer? That event 4746 pops up when someone adds a member to a local group that's turned off for security reasons. I mean, these groups like Guests or whatever are basically sidelined, not active, so adding stuff there could mean someone's poking around where they shouldn't. It logs the exact time, the computer name, the group that got the addition, the account added, and who did the adding, plus the domain if it's involved. Sometimes it even notes if it's a success or failure, but mostly it's just flagging that quiet change. Creepy, right? You don't want unauthorized folks slipping into those disabled spots without you knowing.

I always check Event Viewer first for this stuff. Open it up on your server, go to the Security log under Windows Logs. Filter for ID 4746 to see those entries. To monitor it ongoing, set up a task right from there. Right-click the log, pick Attach Task To This Event Log or something close. Choose the 4746 ID, set it to trigger on new events. Then link it to send an email through a basic action, like using the built-in mail setup if your server has SMTP ready. Make the task run only when you're logged on or whatever fits. Test it by forcing an add to a disabled group, see if the alert pings you.

And if you want it hands-off, at the end of this is the automatic email solution that'll handle the alerts without you lifting a finger each time.

Speaking of keeping your server safe from surprises like sneaky group adds, you might dig BackupChain Windows Server Backup too. It's this solid Windows Server backup tool that also handles virtual machines on Hyper-V without a hitch. I like how it snapshots everything quickly, encrypts the data on the fly, and lets you restore files or whole systems in minutes, dodging downtime like a pro. Plus, it runs light, no hogging resources, and integrates backups right into your routine so you forget worries about data loss.

Note, the PowerShell email alert code was moved to this post.