Event ID 4776 The computer attempted to validate the credentials for an account.

Hello,
Starting Saturday evening I am getting flooded on my DC server (DCVAD) with some Credential Validations ... No changes were done to any of the systems at that time ... It seems that all are coming from two workstations - Grizzly and Kodiak
All my search didn't find anything relevant on event 4776

Appreciate the help and here is the Splunk capture of some events (look at the time stamp please):

1    
11/10/10
9:59:52.000 PM    
20101110215952.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.**************.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3629013
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045952.624283-000
TimeWritten=20101111045952.624283-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r***********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r******aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.***********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

2    
11/10/10
9:59:19.000 PM    
20101110215919.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628998
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045919.174798-000
TimeWritten=20101111045919.174798-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    GRIZZLY$
Source Workstation:    GRIZZLY
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    GRIZZLY$Source Workstation:    GRIZZLYError Code:    0x0 Options| User=NULL Options| host=DCVAD.*********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

3    
11/10/10
9:59:18.000 PM    
20101110215918.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.**********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628997
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045918.190530-000
TimeWritten=20101111045918.190530-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r**********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r*********aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.*********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

4    
11/10/10
9:58:44.000 PM    
20101110215844.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.*********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628981
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045844.850408-000
TimeWritten=20101111045844.850408-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r**********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r********aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.**************.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options
5    
11/10/10
9:58:11.000 PM    
20101110215811.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.************.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628971
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045811.119703-000
TimeWritten=20101111045811.119703-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    GRIZZLY$
Source Workstation:    GRIZZLY
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    GRIZZLY$Source Workstation:    GRIZZLYError Code:    0x0 Options| User=NULL Options| host=DCVAD.********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options
NXRocksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AwinishCommented:
The events are normal & you can disable from auditing those event in 2008.
This is like DC is trying to validate when user is login into domain & since SAM is responsible for local a/c authentication & thats why these events are occurring & its not an error.

Disable the audit as windows 2008 having advanced auditing options & can be disabled safely.

http://technet.microsoft.com/en-us/library/dd772679%28WS.10%29.aspx

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/bf4df3cd-5b9a-4611-acab-127e509da8b7

http://www.eventid.net/display.asp?eventid=4776&eventno=10736&source=Microsoft-Windows-Security-Auditing&phase=1

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.