Windows Event ID 4780: ACL was set on accounts in administrators groups
Windows Security Event ID 4780 records AdminSDHolder ACL reset activity for protected administrative accounts.
- Applicable version
- Windows Server 2008 R2 and later
- Last reviewed
- 2026-07-13
Trigger Scenarios
On the PDC emulator, Windows compares protected security principals with AdminCount=1 against the AdminSDHolder ACL about every hour and resets differing ACLs, generating this event.
Key Fields
Target Account: Security ID / Account Name / Account Domain
Identifies the protected user, group, or machine account whose ACL was reset to match AdminSDHolder.
Subject: Security ID / Account Name / Logon ID
Identifies the security context associated with the reset operation and supports correlation to administrative activity.
Privileges
Additional Information field in the Microsoft schema. Use it to understand whether special privileges were present during the ACL reset.
Common False Positives
- Expected hourly AdminSDHolder protection can generate this event after legitimate ACL drift on protected accounts.
- Directory cleanup or privileged group membership changes can cause new accounts with AdminCount=1 to be protected.
Related Events
MITRE ATT&CK Mapping
- T1098Account Manipulation
Detection Notes
Use threshold=1 unexpected Target Account newly showing AdminCount=1 or appearing after privileged group changes. Microsoft documents that the PDC compares protected accounts every hour and resets ACLs to AdminSDHolder; therefore 4780 after a new 4728/4732/4756 membership event can reveal T1098 Account Manipulation that placed an account into a protected administrative group. Do not look for Access Mask 0x40000 or 0x80000 here; those fields are not in the Microsoft 4780 schema.
SecurityEvent
| where EventID == 4780
| project TimeGenerated, Computer, Accountindex=wineventlog EventCode=4780 | table _time, hostEventID: 4780
Target Account Name: svc-build
Target Account Domain: CORP
Subject Account Name: DC01$
Logon ID: 0x3e7
Privileges: -