Windows Security Log Event ID 684

Operating Systems	Windows 2003 and XP
Category	Account Management
Type	Success
Corresponding events in Windows 2008 and Vista	4780

684: Set ACLs of members in administrators groups

On this page

Description of this event
Field level details
Examples

According to MS documentation: "Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged."

I have confirmed this event to exist but it is unclear under exactly what circumstances it is logged.

Free Security Log Resources by Randy

Description Fields in 684

Target Account Name: %1
Target Domain: %2
Target Account ID: %3
Caller User Name: %4
Caller Domain: %5
Caller Logon ID: %6
Privileges: %7

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

Examples of 684

Set ACLs of members in administrators groups:
Target Account Name:jjackson
Target Domain:DC=elm,DC=local
Target Account ID:ELM\jjackson
Caller User Name:W3DC$
Caller Domain:ELM
Caller Logon ID:(0x0,0x3E7)
Privileges:-

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

January 2026 Patch Tuesday	"Patch Tuesday - Starting 2026 with a Bang; 3 Zero Days " - sponsored by LOGbinder and Supercharger

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2026 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.