Event ID: 4776The computer attempted to validate the credentials for an account
The computer attempted to validate the credentials for an account. Authentication Package: %1 Logon Account: %2 Source Workstation: %3 Error Code: %4
It's recommended to always audit events in this sub category on member servers and workstations.
On member servers and workstation the volume of events is normally low, on domain controllers usually higher.
This event generates every time that a credential validation occurs using NTLM authentication.
This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
It shows successful and unsuccessful credential validation attempts.
It shows only the computer name (Source Workstation) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the Source Workstation field. Information about the destination computer (SERVER-1) is not presented in this event.
If a credential validation attempt fails, you will see a Failure event with Error Code parameter value not equal to “0x0”.
The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
For monitoring local account logon attempts, it is better to use event “4624: An account was successfully logged on” because it contains more details and is more informative.
This event also generates when a workstation unlock event occurs.
This event does not generate when a domain account logs on locally to a domain controller.
|Error Code||Status||%4||Any||View Codes|
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Credential Validation"
LEFT/RIGHT arrow keys for navigationBack to List