Solved

Event ID 4776 The computer attempted to validate the credentials for an account.

Posted on 2010-11-11
1
27,802 Views
Last Modified: 2012-06-27
Hello,
Starting Saturday evening I am getting flooded on my DC server (DCVAD) with some Credential Validations ... No changes were done to any of the systems at that time ... It seems that all are coming from two workstations - Grizzly and Kodiak
All my search didn't find anything relevant on event 4776

Appreciate the help and here is the Splunk capture of some events (look at the time stamp please):

1    
11/10/10
9:59:52.000 PM    
20101110215952.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.**************.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3629013
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045952.624283-000
TimeWritten=20101111045952.624283-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r***********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r******aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.***********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

2    
11/10/10
9:59:19.000 PM    
20101110215919.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628998
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045919.174798-000
TimeWritten=20101111045919.174798-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    GRIZZLY$
Source Workstation:    GRIZZLY
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    GRIZZLY$Source Workstation:    GRIZZLYError Code:    0x0 Options| User=NULL Options| host=DCVAD.*********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

3    
11/10/10
9:59:18.000 PM    
20101110215918.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.**********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628997
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045918.190530-000
TimeWritten=20101111045918.190530-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r**********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r*********aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.*********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options

4    
11/10/10
9:58:44.000 PM    
20101110215844.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.*********.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628981
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045844.850408-000
TimeWritten=20101111045844.850408-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    r**********a
Source Workstation:    KODIAK
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    r********aSource Workstation:    KODIAKError Code:    0x0 Options| User=NULL Options| host=DCVAD.**************.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options
5    
11/10/10
9:58:11.000 PM    
20101110215811.000000
Category=14336
CategoryString=Credential Validation
ComputerName=DCVAD.************.com
EventCode=4776
EventIdentifier=4776
EventType=4
Logfile=Security
RecordNumber=3628971
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20101111045811.119703-000
TimeWritten=20101111045811.119703-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    GRIZZLY$
Source Workstation:    GRIZZLY
Error Code:    0x0
EventCode=4776 Options| Message=The computer attempted to validate the credentials for an account.Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account:    GRIZZLY$Source Workstation:    GRIZZLYError Code:    0x0 Options| User=NULL Options| host=DCVAD.********.com Options| index=main Options| source=WMI:WinEventLog:Security Options| sourcetype=WMI:WinEventLog:Security Options| splunk_server=SPLUNK Options
0
Comment
Question by:NXRocks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 24

Accepted Solution

by:
Awinish earned 500 total points
ID: 34179642
The events are normal & you can disable from auditing those event in 2008.
This is like DC is trying to validate when user is login into domain & since SAM is responsible for local a/c authentication & thats why these events are occurring & its not an error.

Disable the audit as windows 2008 having advanced auditing options & can be disabled safely.

http://technet.microsoft.com/en-us/library/dd772679%28WS.10%29.aspx

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/bf4df3cd-5b9a-4611-acab-127e509da8b7

http://www.eventid.net/display.asp?eventid=4776&eventno=10736&source=Microsoft-Windows-Security-Auditing&phase=1

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776

1

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question