Solved

Event ID 4776 The computer attempted to validate the credentials for an account.

Posted on 2010-11-11
1
26,636 Views
Last Modified: 2012-06-27
Hello,
Starting Saturday evening I am getting flooded on my DC server (DCVAD) with some Credential Validations ... No changes were done to any of the systems at that time ... It seems that all are coming from two workstations - Grizzly and Kodiak
All my search didn't find anything relevant on event 4776

Appreciate the help and here is the Splunk capture of some events (look at the time stamp please):

1    
11/10/10
9:59:52.000 PM    
20101110215952.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.**************.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3629013
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045952.624283-000
TimeWritten=20101111045952.624283-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r***********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r******aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.***********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

2    
11/10/10
9:59:19.000 PM    
20101110215919.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628998
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045919.174798-000
TimeWritten=20101111045919.174798-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    GRIZZLY$
Source Workstation:    GRIZZLY
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    GRIZZLY$Source Workstation:    GRIZZLYError Code:    0x0 Options| User=NULL Options| host=DCVAD.*********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

3    
11/10/10
9:59:18.000 PM    
20101110215918.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.**********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628997
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045918.190530-000
TimeWritten=20101111045918.190530-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r**********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r*********aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.*********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

4    
11/10/10
9:58:44.000 PM    
20101110215844.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.*********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628981
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045844.850408-000
TimeWritten=20101111045844.850408-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r**********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r********aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.**************.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options
5    
11/10/10
9:58:11.000 PM    
20101110215811.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.************.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628971
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045811.119703-000
TimeWritten=20101111045811.119703-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    GRIZZLY$
Source Workstation:    GRIZZLY
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    GRIZZLY$Source Workstation:    GRIZZLYError Code:    0x0 Options| User=NULL Options| host=DCVAD.********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options
0
Comment
Question by:NXRocks
1 Comment
 
LVL 24

Accepted Solution

by:
Awinish earned 500 total points
ID: 34179642
The events are normal & you can disable from auditing those event in 2008.
This is like DC is trying to validate when user is login into domain & since SAM is responsible for local a/c authentication & thats why these events are occurring & its not an error.

Disable the audit as windows 2008 having advanced auditing options & can be disabled safely.

http://technet.microsoft.com/en-us/library/dd772679%28WS.10%29.aspx

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/bf4df3cd-5b9a-4611-acab-127e509da8b7

http://www.eventid.net/display.asp?eventid=4776&eventno=10736&source=Microsoft-Windows-Security-Auditing&phase=1

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776

0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

774 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question