The domain controller attempted to validate the credentials for an account
On this page
Despite what this event says, the computer is not necessarily a domain controller; member servers and workstations also log this event for logon attempts with local SAM accounts.
When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.
For Kerberos authentication see event 4768, 4769 and 4771.
This event is also logged on member servers and workstations when someone attempts to logon with a local account.
Authentication Package: Always "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
Logon Account: name of the account
Source Workstation: computer name where logon attempt originated