Bobby Ashton
asked on
The domain controller attempted to validate the credentials for an account, Error 4776. listing domain Controller as Source Workstation
I have been trying to track down an issue where one of our staff is getting locked out or their computer. In checking the logs I usually can find the the logs with Error 4776 will tell me which workstation was being used to enter the wrong password, but for this individual the Domain Controller is listed as the source workstation.
AV - Alert - "1490362410" --> RID: "18105"; RL: "4"; RG: "windows,"; RC: "Windows audit failure event."; USER: "(no user)"; SRCIP: "None";
HOSTNAME: "(DC1) 192.168.xxx.xxx->WinEvtLog "; LOCATION: "(DC1) 192.168.xxx.xxx->WinEvtLog "; EVENT: "[INIT]2017 Mar 24 09:33:28 WinEvtLog:
Security: AUDIT_FAILURE(4776): Microsoft-Windows-Security -Auditing: (no user): no domain: DC1.Mydomain.com: The domain controller
attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0 Logon Account: firstname.lastname
Source Workstation: DC1 Error Code: 0xc000006a[END]";
AV - Alert - "1490362410" --> RID: "18105"; RL: "4"; RG: "windows,"; RC: "Windows audit failure event."; USER: "(no user)"; SRCIP: "None";
HOSTNAME: "(DC1) 192.168.xxx.xxx->WinEvtLog
Security: AUDIT_FAILURE(4776): Microsoft-Windows-Security
attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_P
Source Workstation: DC1 Error Code: 0xc000006a[END]";
Do you have email setup using the domain credentials too? like maybe on her cell phone or some other service that's requestion authentication.
ASKER
Yes There is a cell phone that is used by this user that does authenticate with this login. I would think that if that was the case the source would be the email server not the domain controller however.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.