What makes universal groups different from global groups for security?

The key difference is scope and replication. Global groups (4727) contain members only from their own domain and replicate only between DCs in that domain — their impact is limited to one domain. Universal groups (4754) can contain members from any domain in the forest and replicate to the Global Catalog, which is queried by every DC in every domain during authorization. This means a universal group membership is honored everywhere in the forest, not just in one domain. For an attacker who has compromised a single domain and wants forest-wide persistence, creating a universal group and adding it to Enterprise Admins is a single operation that grants admin access across every domain — this is why 4754 is treated as a higher-priority event than 4727 in multi-domain environments.

Why is Event 4754 higher priority than Event 4727 or Event 4731?

Priority scales with blast radius. A 4731 (local group creation) affects one machine. A 4727 (global group creation) affects one domain. A 4754 (universal group creation) affects the entire AD forest. Additionally, universal group creation requires higher privileges than local or global group creation — the fact that it occurred means the attacker already has significant AD access (Domain Admin or Account Operators). This combination — high privilege required to create + high impact if the group is used maliciously — makes 4754 the highest-priority of the three group creation events. In a SIEM triage context, any unauthorized 4754 should be treated as a potential domain compromise indicator requiring immediate investigation.

How do I monitor universal group creation in a multi-domain forest?

Universal group creation events (4754) are logged on the DC that processed the LDAP write. Because universal groups replicate to the Global Catalog, they are visible across all domains — but the 4754 event only exists on the creating DC. In a multi-domain forest, this means you must collect Security event logs from all DCs in every domain and aggregate them in a centralized SIEM. Alerting logic should fire on any 4754 where Subject Account Name is not in an approved provisioning account list, with a secondary alert for any 4728 event where the new member is a recently created universal group (linking 4754 → 4728 to detect the group-to-privileged-group nesting chain). For forests with Microsoft Defender for Identity (MDI), universal group creation is surfaced in the MDI identity security posture assessments, providing an additional detection layer.

Scan your Security and Sysmon logs·Detection guides

Event ID 4754Audit SuccessSecurityT1136

Windows Event ID 4754 — Security-Enabled Universal Group Created

Logged when a new security-enabled universal group is created in Active Directory. Universal security groups replicate to the Global Catalog and can contain members from any domain in the forest, making them the highest-impact group type for attackers. A single universal group added to Domain Admins or Enterprise Admins grants forest-wide elevated access across every domain — this makes 4754 a higher-priority event than the equivalent local (4731) or global (4727) group creation events.

MITRE ATT&CK

Technique

T1136 · Create Account

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Universal group creation requires Domain Admin or Account Operators privileges — any 4754 event from a non-privileged account is immediately suspicious and indicates either privilege escalation has already occurred or a privileged account has been compromised. Universal groups are the broadest persistence vehicle in a multi-domain forest: a single universal group membership grants access wherever that group's permissions are honored, which is across the entire forest. Detection of unauthorized universal group creation is a critical control for multi-domain environments where an attacker may be targeting forest-wide persistence rather than a single domain.

Key Fields

Group NameThe name of the newly created universal group. Universal groups are typically named for cross-domain or forest-wide functions — generic or service-like names that do not correspond to a documented forest-wide role are suspicious.

Subject Account NameThe account that created the universal group. Universal group creation requires Domain Admin or Account Operators membership — creation by an account outside those roles indicates the Subject Account has already been elevated and the 4754 is a downstream persistence step.

Group SIDThe Security Identifier assigned to the new universal group. This SID will appear in subsequent 4756 events (member added), 4728 events if the group is nested into Domain Admins, and 4757 events if members are removed during cleanup.

Investigation Tips

1.Universal group creation is rare: in most environments, universal groups are created once during initial AD design and rarely thereafter. Any 4754 event that does not correspond to a documented forest architecture change or cross-domain project warrants immediate review — the bar for investigation is lower than for local or global group creation.
2.Correlate with 4756 immediately: check for member additions (4756) to the new universal group within minutes of its creation. If an attacker creates a universal group and immediately populates it with their controlled accounts, the 4754+4756 sequence is the complete backdoor provisioning chain.
3.Check if the new group is nested into privileged groups: run `Get-ADGroupMember -Identity 'Domain Admins'` and `Get-ADGroupMember -Identity 'Enterprise Admins'` to verify whether the new universal group was added to either group. A 4728 event adding the new universal group to Domain Admins or Enterprise Admins has forest-wide impact.
4.Forest-wide scope means single 4754 affects all domains: unlike global group creation (4727) which affects one domain, a universal group added to Enterprise Admins grants admin rights across every domain in the forest. Treat unauthorized 4754 events with the same urgency as Enterprise Admins membership changes.
5.Correlate with 4738 (user account changed): attackers sometimes create a universal group and then modify an existing user account to set the group as the primary group (changing primaryGroupID). This modification is captured in 4738 and grants the user all permissions of the universal group without a visible 4756 member-added event.

Related Event IDs

4756Member added to universal group — the follow-on event; new group populated immediately after 4754 is the backdoor loading step

4757Member removed from universal group — cleanup phase before group deletion

4755Universal group changed — group attribute modification to rename or reconfigure the backdoor group

4758Universal group deleted — attacker cleanup after using the backdoor group

4728Member added to global/privileged group — universal groups nested into Domain Admins or Enterprise Admins for forest-wide access

Frequently Asked Questions

What makes universal groups different from global groups for security?: The key difference is scope and replication. Global groups (4727) contain members only from their own domain and replicate only between DCs in that domain — their impact is limited to one domain. Universal groups (4754) can contain members from any domain in the forest and replicate to the Global Catalog, which is queried by every DC in every domain during authorization. This means a universal group membership is honored everywhere in the forest, not just in one domain. For an attacker who has compromised a single domain and wants forest-wide persistence, creating a universal group and adding it to Enterprise Admins is a single operation that grants admin access across every domain — this is why 4754 is treated as a higher-priority event than 4727 in multi-domain environments.
Why is Event 4754 higher priority than Event 4727 or Event 4731?: Priority scales with blast radius. A 4731 (local group creation) affects one machine. A 4727 (global group creation) affects one domain. A 4754 (universal group creation) affects the entire AD forest. Additionally, universal group creation requires higher privileges than local or global group creation — the fact that it occurred means the attacker already has significant AD access (Domain Admin or Account Operators). This combination — high privilege required to create + high impact if the group is used maliciously — makes 4754 the highest-priority of the three group creation events. In a SIEM triage context, any unauthorized 4754 should be treated as a potential domain compromise indicator requiring immediate investigation.
How do I monitor universal group creation in a multi-domain forest?: Universal group creation events (4754) are logged on the DC that processed the LDAP write. Because universal groups replicate to the Global Catalog, they are visible across all domains — but the 4754 event only exists on the creating DC. In a multi-domain forest, this means you must collect Security event logs from all DCs in every domain and aggregate them in a centralized SIEM. Alerting logic should fire on any 4754 where Subject Account Name is not in an approved provisioning account list, with a secondary alert for any 4728 event where the new member is a recently created universal group (linking 4754 → 4728 to detect the group-to-privileged-group nesting chain). For forests with Microsoft Defender for Identity (MDI), universal group creation is surfaced in the MDI identity security posture assessments, providing an additional detection layer.

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4754 →

See Event ID 4754 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects security-enabled universal group created patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →