Event ID: 4780
The ACL was set on accounts which are members of administrators groupsThe ACL was set on accounts which are members of administrators groups.
Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7
Target Account:
Security ID: %3
Account Name: %1
Account Domain: %2
Additional Information:
Privileges: %8
Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.
For some reason, this event doesn’t generate on some OS versions.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"User Account Management"
Operating Systems:
Windows 2008 Windows 2008 R2 Windows 2012 Windows 2012 R2 Windows 2016 Windows 2019 Windows 2022Tags:
Domain Controller Audit SuccessLEFT/RIGHT arrow keys for navigation
Back to List