Too many login failure events


  • Hello Experts,

    The following event details are extracted from SIEM tool:-

    Event Description: - Observed hundred of login failure events generated from domain controller for multiple source to multiple destination.

    Ask:- What is causing this issue? & How to stop it?


    No. of events are in 2.5 minutes is around 7500

    Name:-The domain controller attempted to validate the credentials for an account.

    EventID:- Microsoft-Windows-Security-Auditing:4776

    Message:-The specified user does not exist.

    Reason:-User name does not exist

    categoryOutcome:-  /Failure

    destinationUserName:-  abcd (used for data replication)

    sourceHostName:- Multiple host(all internal)

    OSversion:- Windows Server 2008 R2

    destinationHostName:-Multiple host(all internal)

    status code:- 0xc0000064, 0x0, 0xc0000071, 0xc0000234, 0xc000006a

    deviceHostName:- DomainController


    Request your valuable inputs.



    Monday, May 14, 2018 6:29 PM

All replies

  • Hi
      These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003);
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for;
    also you can check with these 3rd paty tools; lepide,netwrix....

    and you can configure advanced audit policy to find the source;

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, May 15, 2018 1:06 PM
  • Hi Burak,

    Appreciate your help.



    Friday, May 18, 2018 7:14 AM