Windows Security Log Event ID 4776

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Account Logon
 • Credential Validation
Type Success
Corresponding events
in Windows 2003
and before
680 , 681  

4776: The domain controller attempted to validate the credentials for an account

On this page

Despite what this event says, the computer is not necessarily a domain controller; member servers and workstations also log this event for logon attempts with local SAM accounts.

When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.

For Kerberos authentication see event 4768, 4769 and 4771.

This event is also logged on member servers and workstations when someone attempts to logon with a local account. 

Authentication Package: Always "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"

Logon Account: name of the account

Source Workstation: computer name where logon attempt originated

Free Security Log Resources by Randy

Description Fields in 4776

Error Code:

C0000064 user name does not exist
C000006A user name is correct but the password is wrong
C0000234 user is currently locked out
C0000072 account is currently disabled
C000006F user tried to logon outside his day of week or time of day restrictions
C0000070 workstation restriction
C0000193 account expiration
C0000071 expired password
C0000224 user is required to change password at next logon
C0000225 evidently a bug in Windows and not a risk

Supercharger Free Edition


Examples of 4776

The domain controller attempted to validate the credentials for an account.

Logon Account: administrator
Source Workstation: WIN-R9H529RIO4Y
Error Code: 0xc0000064

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources