Windows Security Log Event ID 4780

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Account Management
 • User Account Management
Type Success
Corresponding events
in Windows 2003
and before
684  
Discussions on Event ID 4780
4780 messages

4780: The ACL was set on accounts which are members of administrators groups

On this page

This event, 4780, is logged whenever Windows modifies the ACL of a member of Domain Admins or Administrators to match the standard ACL in the AdminSDHolder object.  AdminSDHolder defines a stricter ACL to protect members of admin groups from being modified and taken over by other privileged users like Account Operators. 

Windows logs this event only for accounts where it actually has to change the ACL because of it being different from AdminSDHolder.  Typically you will only see it once, sometime after adding an account to Domain Admins or Administrators.

You will also see event ID 4738 informing you of the same information.

Free Security Log Resources by Randy

Description Fields in 4780

Subject:

The user and logon session that performed the action.  This will always be ANONYMOUS LOGON. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. 

Target Account: 

  • Security ID:  SID of the account
  • Account Name:  name of the account
  • Account Domain: domain of the account

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4780

The ACL was set on accounts which are members of administrators groups.

Subject:

   Security ID:  ANONYMOUS LOGON
   Account Name:  ANONYMOUS LOGON
   Account Domain:  NT AUTHORITY
   Logon ID:  0x3e6

Target Account:

   Security ID:  ACME\Domain Admins
   Account Name:  Domain Admins
   Account Domain:  DC=acme,DC=local

Additional Information:

   Privileges:  -

Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object.  If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources