Event ID: 4780

The ACL was set on accounts which are members of administrators groups

The ACL was set on accounts which are members of administrators groups.


Subject:
    Security ID:    %4
    Account Name:   %5
    Account Domain: %6
    Logon ID:       %7

Target Account:
    Security ID:        %3
    Account Name:       %1
    Account Domain:     %2

Additional Information:
    Privileges:     %8

Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object.  If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.
Microsoft Documentation

Event ID - 4780



Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.

For some reason, this event doesn’t generate on some OS versions.



Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Other Logon/Logoff Events"
How to enable Windows Auditing


Audit Category:
Account Management

Audit Subcategory:
Other Logon/Logoff Events
Legacy Events:
684

Correlated Events:
4738

LEFT/RIGHT arrow keys for navigation

Back to List