Windows Security Log Event ID 684

Operating Systems Windows 2003 and XP
CategoryAccount Management
Type Success
Corresponding events
in Windows 2008
and Vista

684: Set ACLs of members in administrators groups

On this page

According to MS documentation: "Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged."

I have confirmed this event to exist but it is unclear under exactly what circumstances it is logged.

Free Security Log Resources by Randy

Description Fields in 684

  •  Target Account Name: %1
  •  Target Domain:  %2
  •  Target Account ID: %3
  •  Caller User Name: %4
  •  Caller Domain: %5
  •  Caller Logon ID: %6
  •  Privileges: %7

Supercharger Free Edition


Examples of 684

Set ACLs of members in administrators groups:
Target Account Name:jjackson
Target Domain:DC=elm,DC=local
Target Account ID:ELM\jjackson
Caller User Name:W3DC$
Caller Domain:ELM
Caller Logon ID:(0x0,0x3E7)

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Upcoming Webinars
    Additional Resources