?
Solved

Event ID 4776 The computer attempted to validate the credentials for an account.

Posted on 2010-11-11
1
Medium Priority
?
29,145 Views
Last Modified: 2012-06-27
Hello,
Starting Saturday evening I am getting flooded on my DC server (DCVAD) with some Credential Validations ... No changes were done to any of the systems at that time ... It seems that all are coming from two workstations - Grizzly and Kodiak
All my search didn't find anything relevant on event 4776

Appreciate the help and here is the Splunk capture of some events (look at the time stamp please):

1    
11/10/10
9:59:52.000 PM    
20101110215952.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.**************.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3629013
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045952.624283-000
TimeWritten=20101111045952.624283-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r***********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r******aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.***********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

2    
11/10/10
9:59:19.000 PM    
20101110215919.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628998
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045919.174798-000
TimeWritten=20101111045919.174798-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    GRIZZLY$
Source Workstation:    GRIZZLY
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    GRIZZLY$Source Workstation:    GRIZZLYError Code:    0x0 Options| User=NULL Options| host=DCVAD.*********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

3    
11/10/10
9:59:18.000 PM    
20101110215918.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.**********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628997
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045918.190530-000
TimeWritten=20101111045918.190530-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r**********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r*********aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.*********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

4    
11/10/10
9:58:44.000 PM    
20101110215844.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.*********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628981
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045844.850408-000
TimeWritten=20101111045844.850408-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r**********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r********aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.**************.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options
5    
11/10/10
9:58:11.000 PM    
20101110215811.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.************.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628971
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045811.119703-000
TimeWritten=20101111045811.119703-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    GRIZZLY$
Source Workstation:    GRIZZLY
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    GRIZZLY$Source Workstation:    GRIZZLYError Code:    0x0 Options| User=NULL Options| host=DCVAD.********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options
0
Comment
Question by:NXRocks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 24

Accepted Solution

by:
Awinish earned 2000 total points
ID: 34179642
The events are normal & you can disable from auditing those event in 2008.
This is like DC is trying to validate when user is login into domain & since SAM is responsible for local a/c authentication & thats why these events are occurring & its not an error.

Disable the audit as windows 2008 having advanced auditing options & can be disabled safely.

http://technet.microsoft.com/en-us/library/dd772679%28WS.10%29.aspx

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/bf4df3cd-5b9a-4611-acab-127e509da8b7

http://www.eventid.net/display.asp?eventid=4776&eventno=10736&source=Microsoft-Windows-Security-Auditing&phase=1

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776

1

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question