Windows Security Log Event ID 4780

Operating Systems	Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022
Category • Subcategory	Account Management • User Account Management
Type	Success
Corresponding events in Windows 2003 and before	684

4780: The ACL was set on accounts which are members of administrators groups

On this page

Description of this event
Field level details
Examples
Mini-seminars on this event

This event, 4780, is logged whenever Windows modifies the ACL of a member of Domain Admins or Administrators to match the standard ACL in the AdminSDHolder object. AdminSDHolder defines a stricter ACL to protect members of admin groups from being modified and taken over by other privileged users like Account Operators.

Windows logs this event only for accounts where it actually has to change the ACL because of it being different from AdminSDHolder. Typically you will only see it once, sometime after adding an account to Domain Admins or Administrators.

You will also see event ID 4738 informing you of the same information.

Free Security Log Resources by Randy

Description Fields in 4780

Subject:

The user and logon session that performed the action. This will always be ANONYMOUS LOGON.

Security ID: The SID of the account.
Account Name: The account logon name.
Account Domain: The domain or - in the case of local accounts - computer name.
Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Target Account:

Security ID: SID of the account
Account Name: name of the account
Account Domain: domain of the account

Supercharger Free Edition

Examples of 4780

The ACL was set on accounts which are members of administrators groups.

Subject:

   Security ID: ANONYMOUS LOGON
   Account Name: ANONYMOUS LOGON
   Account Domain: NT AUTHORITY
   Logon ID: 0x3e6

Target Account:

   Security ID: ACME\Domain Admins
   Account Name: Domain Admins
   Account Domain: DC=acme,DC=local

Additional Information:

Privileges: -

Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 4780

Tracking an End-User’s Activities through the Windows Security Log and Other Audit Logs

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.