Windows Security Log Event ID 4780
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Account Management • User Account Management |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
684
|
4780: The ACL was set on accounts which are members of administrators groups
On this page
This event, 4780, is logged whenever Windows modifies the ACL of a member of Domain Admins or Administrators to match the standard ACL in the AdminSDHolder object. AdminSDHolder defines a stricter ACL to protect members of admin groups from being modified and taken over by other privileged users like Account Operators.
Windows logs this event only for accounts where it actually has to change the ACL because of it being different from AdminSDHolder. Typically you will only see it once, sometime after adding an account to Domain Admins or Administrators.
You will also see event ID 4738 informing you of the same information.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action. This will always be ANONYMOUS LOGON.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Target Account:
- Security ID: SID of the account
- Account Name: name of the account
- Account Domain: domain of the account
Supercharger Free Edition
Centrally manage WEC subscriptions.
Free.
The ACL was set on accounts which are members of administrators groups.
Subject:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x3e6
Target Account:
Security ID: ACME\Domain Admins
Account Name: Domain Admins
Account Domain: DC=acme,DC=local
Additional Information:
Privileges: -
Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection