The ACL was set on accounts which are members of administrators groups
On this page
This event, 4780, is logged whenever Windows modifies the ACL of a member of Domain Admins or Administrators to match the standard ACL in the AdminSDHolder object. AdminSDHolder defines a stricter ACL to protect members of admin groups from being modified and taken over by other privileged users like Account Operators.
Windows logs this event only for accounts where it actually has to change the ACL because of it being different from AdminSDHolder. Typically you will only see it once, sometime after adding an account to Domain Admins or Administrators.
You will also see event ID 4738 informing you of the same information.
The user and logon session that performed the action. This will always be ANONYMOUS LOGON.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
- Security ID: SID of the account
- Account Name: name of the account
- Account Domain: domain of the account
Top 10 Windows Security Events to Monitor
The ACL was set on accounts which are members of administrators groups.
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x3e6
Security ID: ACME\Domain Admins
Account Name: Domain Admins
Account Domain: DC=acme,DC=local
Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated
Keep me up-to-date on the Windows Security Log.
*We will NOT share this