Audit Credential Validation – Success and Failure

Audit Credential Validation – Success and Failure

2 Minutes Read Updated on May 21, 2025

When the credentials are submitted for a user account logon request, audit events are generated by the operating system which is determined by the Audit Credential Validation.

The events occur as follow:

  1. Domain Controller has the authorization for Domain Accounts
  2. Local Computer has the authorization for Local Accounts

As in an enterprise environment, domain accounts are used more often than local accounts so

most of the user logon requests are in the Domain Environment for which Domain Controllers have the authorization. So, the event volume is high on Domain Controllers and low on member servers and workstations.

Events for Audit Credential Validation are listed below:

Event State Description
4774 Success, Failure An account was mapped for logon
4775 Failure An account could not be mapped for logon
4776 Success, Failure A computer attempted to validate the credentials for an account
4777 Failure Domain Controller failed to validate the credentials for an account

Most of the account logon events occur in the Security log of the Domain Controllers, also, these events can occur on the local computers when logon requests from local accounts are received. This policy is used for NTLM authentication in the domain. Monitoring Unsuccessful Attempts, Finding Brute Force Attacks, Account Enumeration, and Potential Account Compromise Events on DC’s can be achieved by enabling this group policy (Audit Settings).

Active Directory Audit Rules

Vulnerability:

Forensic Analysts might not be able to detect or gather enough evidence of a security incident if audit settings are not configured or if they are so lenient on the computers in your organization. In the Security log, critically important entries can be mantled by meaningless entries if the audit settings are too severe and the performance of the computer and the available data storage can be seriously affected. It is obligatory to log certain events and activities by companies that operate in certain regulated industries.

Security Recommendations:

The recommended configuration can be manifested through Group Policy. For this purpose, confirm that the below-mentioned UI path is set as prescribed.

 

Policy Path:

Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesAccount LogonAudit Credential Validation

Set the above-mentioned UI path to Success and Failure to establish the recommended configuration via Group Policy.

Default Value:

By default, the policy is set to Success.

Automate audit policies implementation:

By using hardening automation tools you’ll be able to easily implement your audit policies on your entire production. Hardening automation tools will help you implement the right policy on the right machine and will eliminate the risk of production downtime.

Server Hardening Tools Explained

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

CIS Benchmarks Checklist: Is Your Windows Server 2025 Secure?

CIS Benchmarks Checklist: Is Your Windows Server 2025 Secure?

February 2, 2025

Windows Server 2025, the latest iteration of Microsoft’s flagship server operating system, introducing new features,…

TrickBot RDP Brute Force Attack

TrickBot RDP Brute Force Attack

March 23, 2020

A new module in the known TrickBot attack is now is discovered. The new development…

Shield Against Kerberos Attacks: Key Kerberos Hardening Tips

Shield Against Kerberos Attacks: Key Kerberos Hardening Tips

October 7, 2023

Privileged account exploitation remains at the core of targeted cyber attacks. An insight into some…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article