This security policy setting determines whether the operating system generates audit events on credentials submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials:
- For domain accounts, the domain controller is authoritative.
- For local accounts, the local computer is authoritative.
Event volume: High on domain controllers
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon/Logoff events.
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
- 4774: An account was mapped for logon.
- 4775: An account could not be mapped for logon.
- 4776: The domain controller attempted to validate the credentials for an account.
- 4777: The domain controller failed to validate the credentials for an account.