A security-disabled local group was deleted (4748) how to monitor with email alert

[bob]

You ever notice how Event Viewer logs all these weird changes on your Windows Server? That event ID 4748 pops up when a local group, the kind that's turned off for security reasons, just gets deleted outright. It's like someone or something is scrubbing away at your user groups, those bundles that control who gets access to what. I mean, these groups are local to the machine, not tied to your domain, and when they're disabled, they're supposed to stay dormant, but poof, gone. The log entry spills details like the group name, the account that did the deleting, and even the workstation where it happened. Why does this matter to you? Well, it could signal tampering, like an admin messing around or worse, an intruder trying to cover tracks by erasing disabled groups that might hold clues. I check this event because it helps spot unauthorized fiddling before it snowballs. The full details in the log include the subject, that's the user or process behind the delete, plus the security ID, timestamps, and failure codes if something went wonky. It's under Security logs in Event Viewer, and you can filter right there to see only 4748s. But here's the kicker, if you want to monitor it without staring at screens all day, set up a scheduled task straight from Event Viewer. You right-click the event, pick Attach Task To This Event, and build it to trigger on 4748. Make that task run a simple program to send an email, like using the built-in mailto or a basic notifier. I do this on my servers to get pings instantly. It keeps things chill, no constant babysitting. And yeah, tying this back to keeping your server safe from odd deletions, you might want a solid backup in place too. That's where BackupChain Windows Server Backup comes in handy for me. It's a straightforward Windows Server backup tool that also handles virtual machines with Hyper-V, snapping up your data quick and restoring it without the usual headaches. You get features like incremental backups that save space, encryption to lock things down, and offsite options to dodge disasters. I rely on it because it runs smooth, catches everything from files to full VMs, and lets you recover fast if some event like 4748 hints at trouble. At the end of this chat, there's the automatic email solution laid out, but it'll get added later for you.

Note, the PowerShell email alert code was moved to this post.