1

The logon events for the same are successful. The audit failure problem is with only 4776 events. Can someone help to resolve this? The avmgr is domain account. Same is used for accessing ms sql server database.

Audit Failure:

Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/7/2013 4:17:06 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: abc.xyz.pqr Description: The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: avmgr Source Workstation: abc Error Code: 0xc0000064 Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4776</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14336</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-08-06T22:47:06.052490200Z" />
    <EventRecordID>9460344</EventRecordID>
    <Correlation />
    <Execution ProcessID="540" ThreadID="2996" />
    <Channel>Security</Channel>
    <Computer>abc.xyz.pqr</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="TargetUserName">avmgr</Data>
    <Data Name="Workstation">abc</Data>
    <Data Name="Status">0xc0000064</Data>
  </EventData>
</Event>
sagar
  • 23
  • 1
  • 1
  • 4

2 Answers2

1

The famous err.exe tool tells us: for hex 0xc0000064 / decimal -1073741724 : STATUS_NO_SUCH_USER ntstatus.h The specified user does not exist. 1 matches found for "0xc0000064"

You might specify the account as xyz.pqr\avmgr or avmgr@xyz.pqr instead.

Martin Binder
  • 1,066
  • 7
  • 5
  • The user is already present as domain user, but it looks like its trying to match it against local machine user. What can be the problem? – sagar Aug 28 '13 at 12:58
-1

Do the following:

From a command prompt run: psexec -i -s -d cmd.exe From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.

zea62
  • 1
  • This answer is a copy & paste suggestion from internet forum threads without the context of those threads to explain why it's useful. The answer should explain what the cause is and why this solution should work. The answer should also explain that PS Tools from SysInternals is required for psexec to run. But opening the credential manager does not require psexec in the first place. Also, someone would have to do this on every single computer in the domain in order to find the cached credential causing the problem. – Thomas Feb 27 '17 at 23:08