Event ID 4776
The computer attempted to validate the credentials for an accountThe computer attempted to validate the credentials for an account. Authentication Package: %1 Logon Account: %2 Source Workstation: %3 Error Code: %4
This event generates every time that a credential validation occurs using NTLM authentication.
This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
It shows successful and unsuccessful credential validation attempts.
It shows only the computer name (Source Workstation) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the Source Workstation field. Information about the destination computer (SERVER-1) is not presented in this event.
If a credential validation attempt fails, you will see a Failure event with Error Code parameter value not equal to “0x0”.
The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
For monitoring local account logon attempts, it is better to use event “4624: An account was successfully logged on” because it contains more details and is more informative.
This event also generates when a workstation unlock event occurs.
This event does not generate when a domain account logs on locally to a domain controller.
It's recommended to always audit events in this sub category on member servers and workstations.
On member servers and workstation the volume of events is normally low, on domain controllers usually higher.
CJIS 5.4.1.1.1
ISO 27001:2013 A.12.4.1
NIST 800-171: 3.1.1
CMMC v2 L1: AC.L1-3.1.1
NIST SP 800-53: AC-2
PCI 3.2.1: 10.2.4
HIPAA: 164.308 (a)(5)(ii)(C)
Name | Field | Insertion String | OS | Example | ||
---|---|---|---|---|---|---|
Authentication Package | PackageName | %1 | Any | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||
Logon Account | TargetUserName | %2 | Any | UserName | ||
Source Workstation | Workstation | %3 | Any | ComputerName | ||
Error Code | Status | %4 | Any | View Codes |
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Credential Validation"
LEFT/RIGHT arrow keys for navigation
Back to List