Windows Security Log Event ID 684

Operating Systems Windows 2003 and XP
CategoryAccount Management
Type Success
Corresponding events
in Windows 2008
and Vista		 4780  

684: Set ACLs of members in administrators groups

On this page

According to MS documentation: "Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged."

I have confirmed this event to exist but it is unclear under exactly what circumstances it is logged.

Free Security Log Resources by Randy

Description Fields in 684

  •  Target Account Name: %1
  •  Target Domain:  %2
  •  Target Account ID: %3
  •  Caller User Name: %4
  •  Caller Domain: %5
  •  Caller Logon ID: %6
  •  Privileges: %7

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 684

Set ACLs of members in administrators groups:
Target Account Name:jjackson
Target Domain:DC=elm,DC=local
Target Account ID:ELM\jjackson
Caller User Name:W3DC$
Caller Domain:ELM
Caller Logon ID:(0x0,0x3E7)
Privileges:-

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources

    Go To Event ID:

    Security Log
    Quick Reference
    Chart
    Download now!