Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
• Credential Validation
The domain controller attempted to validate the credentials for an account
On this page
Despite what this event says, the computer is not necessarily a domain controller; member servers and workstations also log this event for logon attempts with local SAM accounts.
When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.
For Kerberos authentication see event 4768, 4769 and 4771.
This event is also logged on member servers and workstations when someone attempts to logon with a local account.
Authentication Package: Always "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
Logon Account: name of the account
Source Workstation: computer name where logon attempt originated