Show
4776: The domain controller attempted to validate the credentials for an account On this page
Despite what this event says, the computer is not necessarily a domain controller; member servers and workstations also log this event for logon attempts with local SAM accounts. When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field. For Kerberos authentication see event 4768, 4769 and 4771. This event is also logged on member servers and workstations when someone attempts to logon with a local account. Authentication Package: Always "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" Logon Account: name of the account Source Workstation: computer name where logon attempt originated Free Security Log Resources by Randy
Description Fields in 4776Error Code:
Supercharger EnterpriseExamples of 4776The domain controller attempted to validate the credentials for an account. Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Top 10 Windows Security Events to Monitor Free Tool for Windows Event Collection Mini-Seminars Covering Event ID 4776
Upcoming Webinars Additional Resources 03/26/2020 74 People found this article helpful 155,526 Views DescriptionConfiguration of DC Security Logs and Troubleshooting Cause Windows Server uses the DC Security Log to record logon/logoff events and/or other security-related events specified by the system's audit policy. If the audit policy is set to record logins, a successful domain login records the user's user name and computer name in the Security Log. On Windows Server 2003 and above, the computer’s IP address is also logged. ResolutionTo configure the DC Security Log method in Directory Services Connector, perform the following steps: Step 1: In the Directory Connector Configuration Tool, right-click SonicWall SSO Agent in the left pane. Step 2: Select Properties. Step 3: In the right pane in the Query Source field, select one of the following options:
Step 4: Select the desired number of seconds for the Event Polling Time fields The Event Polling Time option is visible only if one of the DC Security Log options is selected in the Query Source field. The SSO Agent fetches event logs from the Domain Controller on a regular time interval to discover updated user information. The Event Polling Time option provides a way to specify this interval. The minimum is 5 seconds, and the maximum is 300 seconds, with a default of 10 seconds. Step 5: To save information about previously identified users when the SSO Agent service is restarted, select the preserve users during service restart checkbox. Upon restarting the SSO Agent service, the user information is restored. Because the SSO Agent must be restarted for properties changes to take effect, this allows the agent to maintain current user information across these restarts. To avoid restoring outdated information, if the backup is older than 15 minutes, the information is not restored. If this option is unchecked when using DC Security Log, the user information is not saved during a service restart. When the next user information request comes in for a previously logged in user, the DC logs are checked, but there is no new logon event and so the user is not identified. If Query Source is set to DC Security Log only, the SSO Agent will send no user information to the appliance. If Query Source is set to DC Security Log with NETAPI or WMI, the agent will do a NETAPI or WMI query to the user PC to identify the user. Step 6: Next, configure the Domain Controller information in the Directory Connector Configurator, including the IP address of the DC, the administrator account, and the password. Step 7: Configuring the Domain Controller Information. Only machines configured with a Domain Controller role can be set as the domain controller in the Directory Connector Configurator. In the Directory Connector Configuration Tool, right-click Domain Controller in the left pane. Step 8: Select Add. Step 9: In the right pane on the Edit tab, type the DC IP address into the IP Address
field. Step 10: In the Administrator User field, enter the domain and admin user name separated by a backslash, such as “snwladministrator”. Step 11: In the Administrator Password field, type in the password for the admin user. Step 12: In the Initial Fetch Time field, select the time of day for the SSO Agent to begin service startup and fetch event logs from the Domain Controller for the first time. All event logs are fetched before the SSO Agent service is started. Step 13: To test the
connection to the Domain Controller using the IP address and user credentials, click Test Connection. If the IP address does not belong to a machine with a role of Domain Controller, the Configurator will not accept the configuration and an error message is
displayed. Step 14: If the IP address belongs to a machine with a role of Domain Controller, no error is displayed. Click OK. Step 15: Repeat this procedure to add another Domain Controller. Setting Group Policy to Enable Logon Audit on Windows Server 2008 Logon audit may need to be enabled on the Windows Server machine. To enable logon audit on Windows Server 2008, perform the following steps: 1. Start the Group Policy Management Console. The Group Policy Management Editor window is displayed. 4. Double-click on Audit account logon events and select Success. Click OK. Setting Group Policy to Enable Logon Audit on Windows Server 2003 By default, logon audit is disabled on Windows Server 2003. To enable logon audit on Windows Server 2003, perform the following steps: 1. Start the Group Policy Management Console. 4. Give your policy a name and click OK. 8. Double-click on Audit account logon events and select Success. Click OK. How to Test: This should list all logged users currently on your domain If the above does not return any results Kindly confirm the Server settings and Event Viewer Security logs if the user is logged on as SonicWall only displays/uses for authentication what information it gets from the Domain Controller. If you are using Advanced Auditing please use the following article for GPO configuration: DC Security Logs with Advanced Auditing Related Articles
Categories
Was This Article Helpful?YESNOWhere are domain controller logs stored?The default location is the systemroot\NTDS folder. Each transaction in Active Directory is recorded in one or more transaction log files that are associated with the Ntds.
How do you audit a domain controller?Right-click Domain Controllers, and then select Properties. Select the Group Policy tab, select Default Domain Controller Policy, and then select Edit. Select Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
How do I view Active Directory history?To track user account changes in Active Directory, open “Windows Event Viewer”, and go to “Windows Logs” ➔ “Security”. Use the “Filter Current Log” option in the right pane to find the relevant events.
What types of event logs do domain controllers have?Types of Event Logs
They are Information, Warning, Error, Success Audit (Security Log) and Failure Audit (Security Log).
|