Thousands of 4776 events

Question

I'm facing a problem which causing thousands of successful 4776 events on DCs. I figured out that some kind of network printer enumeration causing it. Every refreshing or opening printers in word for example, triggers a lot of 4776. It takes place even when user doesn't use computer so it is locked. Any idea why it works like that? I suspect that it is caused by opening printer named pipe, I see in ProcMon create, close file on pipe\spools printer path. Server is W2K8 R2 , client W10

Thanks in advance

Answer 1

This problem "Thousands of 4776 events" usually occurs every time that a credential validation occurs using NTLM authentication. It shows successful and unsuccessful credential validation attempts.

Only for the authoritative accounts this error occurs. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. This event also generates when a workstation unlock event occurs.

Obtain the source workstation address from 4776 event log and please check below steps:

• Try checking whether the user is entering wrong credentials to run scheduled tasks, start services etc.
• Try checking the credential management to know if there are any old credentials present in cache.
• While mounting the network disk check whether you have entered wrong password.
• Check if there are any third-party programs that cache the user's wrong password.

References:

4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10) - Windows security | Microsoft Docs.

Event ID 4776 / 0xc00006a - Microsoft Q&A.