10-11-2024, 03:04 PM
It pops up whenever someone's local group memberships get listed out.
Like, if a user account queries what groups another account belongs to on the machine.
The log captures the security ID of the one doing the asking.
It notes the target account name too.
And the process that kicked it off.
Hmmm, or sometimes it's from network logons.
This event flags potential audits or sneaky checks.
You see it in the Security log under Account Logon category.
Full details include timestamps and failure codes if it bombs.
But mostly, it's auditing who's peeking at group info.
I've seen it trigger during routine admin stuff.
Or when malware probes permissions.
You want to watch it close on servers.
Now, for monitoring with email alerts, fire up Event Viewer.
Right-click the Security log.
Filter for event ID 4798.
Spot one that matches what you care about.
Then, right-click it again.
Choose Attach Task To This Event.
Name your task something snappy.
In the triggers tab, it's already set to that event.
Actions tab, pick Send an e-mail.
Fill in your SMTP server details.
To and from addresses.
Subject like "Group Enum Alert on Server."
Body can say the event basics.
Test it out.
If emails fly right, you're golden.
I do this on my setups all the time.
Keeps you looped in without staring at screens.
And hey, if you need a hands-off way, the automatic email solution sits at the end here.
Speaking of keeping servers humming smooth, I've been eyeing BackupChain Windows Server Backup lately.
It's this solid Windows Server backup tool that handles file-level stuff and full images.
Plus, it tackles Hyper-V virtual machines without a hitch.
You get incremental backups that save space and time.
Restores are quick, even to bare metal.
No downtime headaches, and it encrypts everything tight.
I like how it schedules around your workload too.
Note, the PowerShell email alert code was moved to this post.
