none
Event 4776 & 4625 logged from workgroup computer on Server 2008 R2 domain server

    Question

  • Hello,

    I've tried looking through various Internet forums and haven't found anything conclusive with the following problem we are experiencing.  We have one machine that exists in a workgroup by itself.  However, at one point this client was on our domain when it was being built.  The machine was properly removed from the domain before being put into production.  Since then the machine is causing 3-4 4776 and 4625 audit security events to be logged every 5 minutes on one of our member servers.  The interesting thing is that the member server logging these events used to be a domain controller when the machine in question was built.  The server was properly demoted to being a member server last year and new domain controllers have since taken over that role.  I do not think there is any harm in these events being generated, but it does create a huge overload of events to sift through when we review the security event logs every day.  Ideally I would like to make this stop happening.  If that isn't possible for some reason I would like to be able to create a Custom View in the Event Viewer to not display 4776 & 4625 events from this machine while still being able to review these events for other machines if generated.  I am open to any and all ideas.

    Thanks.

    Wednesday, February 06, 2013 7:53 PM

All replies

  • Hi, 

    The below are the details of event ID 

    4776 The domain controller attempted to validate the credentials for an account.
    4625 An account failed to log on.

    & the same details you can find in http://support.microsoft.com/kb/947226?wa=wsignin1.0


    Regards, Ravikumar P

    Thursday, February 07, 2013 7:20 AM
  • Hello,

    Thank you for the event ID descriptions, but what I need more is a way to make them stop appearing on the domain server.  A workgroup computer has no reason to be trying to validate credentials against a domain server as far as I am aware.  The only thing I can think of is that the domain server logging these events has the same name as the domain controller the workgroup computer was once joined to. If I do a search of the registry I find the domain server name in many places, but I am hesitant to remove those entries for fear of breaking system system.  Most of the hits I get from the registry allude to software that was installed from a shared folder on the previous domain controller.  There was one hit in the Group Policy History that referenced the domain server name, but removing that value from the Registry did not stop these events from logging.  Any ideas on stopping these events from logging or help in explaining why they are logging will be greatly appreciated.

    Thanks 

    Thursday, February 07, 2013 3:53 PM
  • Hello,

    To help troubleshoot this issue I wanted to add that the server name the workgroup computer is trying to access also used to be a file server where we stored software for install across the network.  Is it possible that the machine is still trying to access the domain server because we installed software to it when it was part of the domain.  I really would like to break the cycle of the continued logon attempts to this server because they are unnecessary and we do not see this behavior on any other member server on our domain.  I tried to create a group policy that would deny access to this member server across the network for the workgroup user, but since it is not a domain account group policy will not allow me to add the user.  I hope this additional information helps with the troubleshooting process.

    Thanks.

    Tuesday, February 12, 2013 2:04 PM