4780 The ACL was set on accounts which are members of administrators groups (AdminSDHolder)
Written when the AdminSDHolder ACL is applied (reset) onto members of privileged groups. It reflects the operation of AD’s protection mechanism SDProp, and relates to detecting persistence attacks.
Overview
The subcategory is Audit User Account Management. Every hour, the domain controller holding the PDC FSMO role compares the ACL of members of administrative/sensitive groups (accounts with AdminCount=1) against the ACL of the AdminSDHolder object, and if they differ, resets the member’s ACL to match AdminSDHolder’s. This event is generated at that point (it may not be generated on some OS versions).
How it is triggered
- When SDProp (the Security Descriptor Propagator) runs on its schedule (default 60-minute interval) and resets a privileged account’s ACL.
Security review points
- Detecting AdminSDHolder abuse: if an attacker adds a permission for their own account to the
AdminSDHolderobject’s ACL, SDProp propagates that permission to all privileged accounts, creating powerful and inconspicuous persistence. Monitor changes to the AdminSDHolder ACL (DS changes such as 5136) together with the propagation reflected by this event. - Check the ACL contents for whether an unexpected account has gained rights over privileged accounts.
Notes for log review
- SDProp runs periodically even in normal operation. What matters is “whether the AdminSDHolder ACL itself was changed,” and the proper approach is to monitor that via 5136 (directory service object change). Read 4780 as the propagation result.
- Since it may not be generated on some OS versions, do not rely on it alone; combine with directory auditing.
Key fields
| Field | Meaning |
|---|---|
Target Account | The privileged account whose ACL was reset |
Subject\Account Name | The subject that performed the processing (often the system) |
Glossary
- AdminSDHolder / SDProp — an AD protection mechanism that keeps privileged accounts’ ACLs at a set baseline. Tampering with the AdminSDHolder ACL is abused for persistence that propagates to all privileged accounts.