none
The domain controller attempted to validate the credentials for an account, Error 4776. listing domain Controller as Source Workstation

    Question

  • I have been trying to track down an issue where one of our staff is getting locked out or their computer.  In checking the logs I usually can find the the logs with Error 4776 will tell me which workstation was being used to enter the wrong password, but for this individual the Domain Controller is listed as the source workstation.

    AV - Alert - "1490362410" --> RID: "18105"; RL: "4"; RG: "windows,"; RC: "Windows audit failure event."; USER: "(no user)"; SRCIP: "None";
    HOSTNAME: "(DC1) 192.168.xxx.xxx->WinEvtLog"; LOCATION: "(DC1) 192.168.xxx.xxx->WinEvtLog"; EVENT: "[INIT]2017 Mar 24 09:33:28 WinEvtLog:
    Security: AUDIT_FAILURE(4776): Microsoft-Windows-Security-Auditing:(no user): no domain: DC1.Mydomain.com: The domain controller
    attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: firstname.lastname
    Source Workstation: DC1 Error Code: 0xc000006a[END]"; 

    Bobby Ashton, MCSE

    Friday, March 24, 2017 4:10 PM

All replies

  • yes that is pretty common, especially when the workstation is non domain joined. So with account lockouts, here is what you need to do

    1. Download the Lockouttools from https://www.microsoft.com/en-us/download/details.aspx?id=18465

    2. Run lockoutstatus.exe and you will find the account locked out and bad password has been sent at the same time from the PDC and another domain controller at a certain time.

    3. Catch the domain controller where it sent the bad password and not the PDC, as the PDC will give you the source as Domain controller itself.

    4. That domain controller in the security log, at that specific time, you will have the log which will give you the CLIENT ADDRESS: <IP _ ADDRESS >. That is the actual source of the lockout.

    you can resolve that IP address to the hostname from your DNS>

    I also have some automation done to actually catch this and lookup the IP to hostname . 

    let me know if you need additional info or if i have suggested something you already tried.

    Friday, March 24, 2017 5:24 PM
  • Hi

     You can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    https://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx

    Also these are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Saturday, March 25, 2017 9:34 AM
  • As suggested above, you can try using Account lockout tool which may help you to get rid of from this issue.

    You may also checkout this another article https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/ which summarize few common root causes of account lockouts and how to resolve them.

    Monday, March 27, 2017 7:15 AM
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 31, 2017 9:21 AM
    Moderator