Windows Security Log Event ID 4780

Operating Systems	Windows Vista Windows Server 2008
Category • Subcategory	Account Management • User Account Management
Type	Success
Corresponding events in Windows 2003 and before	684

Discussions on Event ID 4780

Ask a question about this event

4780: The ACL was set on accounts which are members of administrators groups

On this page

Description of this event
Field level details
Examples
Discuss this event

This event, 4780, is logged whenever Windows modifies the ACL of a member of Domain Admins or Administrators to match the standard ACL in the AdminSDHolder object. AdminSDHolder defines a stricter ACL to protect members of admin groups from being modified and taken over by other privileged users like Account Operators.

Windows logs this event only for accounts where it actually has to change the ACL because of it being different from AdminSDHolder. Typically you will only see it once, sometime after adding an account to Domain Admins or Administrators.

You will also see event ID 4738 informing you of the same information.

Free Security Log Quick Reference Chart

Description Fields in 4780

Subject:

The user and logon session that performed the action. This will always be ANONYMOUS LOGON.

Security ID: The SID of the account.
Account Name: The account logon name.
Account Domain: The domain or - in the case of local accounts - computer name.
Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Target Account:

Security ID: SID of the account
Account Name: name of the account
Account Domain: domain of the account

Top 10 Events to Monitor

Examples of 4780

The ACL was set on accounts which are members of administrators groups.

Subject:

   Security ID: ANONYMOUS LOGON
   Account Name: ANONYMOUS LOGON
   Account Domain: NT AUTHORITY
   Logon ID: 0x3e6

Target Account:

   Security ID: ACME\Domain Admins
   Account Name: Domain Admins
   Account Domain: DC=acme,DC=local

Additional Information:

Privileges: -

Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Training for the Windows Security Log

Security Log Secrets

In-Depth Training
On-Site or On-Demand

Security Log Resource Kit

Discussions on Event ID 4780

Ask a question about this event

Upcoming Webinars

Additional Resources

Encyclopedia

•	All Event IDs
•	Audit Policy

Go To Event ID:

Security Log
Quick Reference
Chart
Download now!

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2010 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.