Windows Security Log Event ID 4776
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Account Logon • Credential Validation |
Type
|
Success
Failure
|
Corresponding events
in Windows
2003 and before |
680
,
681
|
4776: The domain controller attempted to validate the credentials for an account
On this page
Despite what this event says, the computer is not necessarily a domain controller; member servers and workstations also log this event for logon attempts with local SAM accounts.
When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.
For Kerberos authentication see event 4768, 4769 and 4771.
This event is also logged on member servers and workstations when someone attempts to logon with a local account.
Authentication Package: Always "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
Logon Account: name of the account
Source Workstation: computer name where logon attempt originated
Free Security Log Resources by Randy
Error Code:
C0000064 |
user name does not exist |
C000006A |
user name is correct but the password is wrong |
C0000234 |
user is currently locked out |
C0000072 |
account is currently disabled |
C000006F |
user tried to logon outside his day of week or time of day restrictions |
C0000070 |
workstation restriction |
C0000193 |
account expiration |
C0000071 |
expired password |
C0000224 |
user is required to change password at next logon |
C0000225 |
evidently a bug in Windows and not a risk |
Supercharger Enterprise