Windows Server 2012 R4 Event Code 4776 blank source workstation

%3CLINGO-SUB%20id%3D%22lingo-sub-3345428%22%20slang%3D%22en-US%22%3EWindows%20Server%202012%20R4%20Event%20Code%204776%20blank%20source%20workstation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3345428%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20using%20an%20Active%20Directory%20server%20with%20Windows%20Server%202012%20R2%20Datacenter.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20Event%20Viewer%20of%20the%20AD%20Server%2C%20I%20want%20to%20track%20down%20logons%20(succeeded%2Ffailed)%20of%20users%20into%20servers%20monitored%20by%20this%20AD%20server.%3CBR%20%2F%3EAt%20the%20moment%2C%20I%20only%20see%20events%20with%20code%204776%20related%20to%20logons%2C%20but%20they%20lacks%20information%20about%20Source%20Workstation.%3CBR%20%2F%3EThis%20is%20an%20example%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CBR%20%2F%3EEventCode%3D4776%3CBR%20%2F%3EEventType%3D0%3CBR%20%2F%3EComputerName%3D%3CA%20href%3D%22http%3A%2F%2Fcomputer.name%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ecomputer.name%3C%2FA%3E%3CBR%20%2F%3ESourceName%3DMicrosoft%20Windows%20security%20auditing.%3CBR%20%2F%3EType%3DInformation%3CBR%20%2F%3ERecordNumber%3D6697575380%3CBR%20%2F%3EKeywords%3DAudit%20Success%3CBR%20%2F%3ETaskCategory%3DCredential%20Validation%3CBR%20%2F%3EOpCode%3DInfo%3CBR%20%2F%3EMessage%3DThe%20computer%20attempted%20to%20validate%20the%20credentials%20for%20an%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAuthentication%20Package%3A%20MICROSOFT_AUTHENTICATION_PACKAGE_V1_0%3CBR%20%2F%3ELogon%20Account%3A%20logon-account%3CBR%20%2F%3ESource%20Workstation%3A%20source-workstation%3CBR%20%2F%3EError%20Code%3A%200x0%3CBR%20%2F%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20monitor%20logons%20on%20those%20servers%20from%20the%20Active%20Controller%2C%20what%20policies%20should%20I%20configure%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3345428%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hello,

 

I am using an Active Directory server with Windows Server 2012 R2 Datacenter.

 

In the Event Viewer of the AD Server, I want to track down logons (succeeded/failed) of users into servers monitored by this AD server.
At the moment, I only see events with code 4776 related to logons, but they lacks information about Source Workstation.
This is an example:

 

"
EventCode=4776
EventType=0
ComputerName=computer.name
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=6697575380
Keywords=Audit Success
TaskCategory=Credential Validation
OpCode=Info
Message=The computer attempted to validate the credentials for an account.

 

 

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: logon-account
Source Workstation: source-workstation
Error Code: 0x0
"

 

To monitor logons on those servers from the Active Controller, what policies should I configure?

0 Replies