Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Event ID 4776 The computer attempted to validate the credentials for an account.

Posted on 2010-11-11
1
Medium Priority
?
29,767 Views
Last Modified: 2012-06-27
Hello,
Starting Saturday evening I am getting flooded on my DC server (DCVAD) with some Credential Validations ... No changes were done to any of the systems at that time ... It seems that all are coming from two workstations - Grizzly and Kodiak
All my search didn't find anything relevant on event 4776

Appreciate the help and here is the Splunk capture of some events (look at the time stamp please):

1    
11/10/10
9:59:52.000 PM    
20101110215952.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.**************.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3629013
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045952.624283-000
TimeWritten=20101111045952.624283-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r***********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r******aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.***********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

2    
11/10/10
9:59:19.000 PM    
20101110215919.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628998
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045919.174798-000
TimeWritten=20101111045919.174798-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    GRIZZLY$
Source Workstation:    GRIZZLY
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    GRIZZLY$Source Workstation:    GRIZZLYError Code:    0x0 Options| User=NULL Options| host=DCVAD.*********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

3    
11/10/10
9:59:18.000 PM    
20101110215918.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.**********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628997
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045918.190530-000
TimeWritten=20101111045918.190530-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r**********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r*********aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.*********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

4    
11/10/10
9:58:44.000 PM    
20101110215844.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.*********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628981
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045844.850408-000
TimeWritten=20101111045844.850408-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r**********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r********aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.**************.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options
5    
11/10/10
9:58:11.000 PM    
20101110215811.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.************.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628971
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045811.119703-000
TimeWritten=20101111045811.119703-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    GRIZZLY$
Source Workstation:    GRIZZLY
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    GRIZZLY$Source Workstation:    GRIZZLYError Code:    0x0 Options| User=NULL Options| host=DCVAD.********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options
0
Comment
Question by:NXRocks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 24

Accepted Solution

by:
Awinish earned 2000 total points
ID: 34179642
The events are normal & you can disable from auditing those event in 2008.
This is like DC is trying to validate when user is login into domain & since SAM is responsible for local a/c authentication & thats why these events are occurring & its not an error.

Disable the audit as windows 2008 having advanced auditing options & can be disabled safely.

http://technet.microsoft.com/en-us/library/dd772679%28WS.10%29.aspx

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/bf4df3cd-5b9a-4611-acab-127e509da8b7

http://www.eventid.net/display.asp?eventid=4776&eventno=10736&source=Microsoft-Windows-Security-Auditing&phase=1

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776

1

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question