ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows domain controller server displaying authentication security logs in a professional data center environment
Event ID 4766InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4766 – Microsoft-Windows-Security-Auditing: Computer Account Authentication Failed

Event ID 4766 indicates a computer account failed to authenticate with the domain controller. This security audit event fires when machine authentication fails during domain logon processes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4766Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4766 represents a computer account authentication failure within the Windows security auditing framework. When a domain-joined computer attempts to authenticate with a domain controller using its machine account credentials, various factors can cause this authentication to fail, triggering this audit event.

Computer accounts in Active Directory have passwords that automatically change every 30 days by default. These machine account passwords are managed by the Local Security Authority (LSA) and are significantly longer and more complex than typical user passwords. When authentication fails, it often indicates synchronization issues between the local machine's stored credentials and the domain controller's records.

The event contains detailed information including the target computer name, domain name, logon type, authentication package used, and failure reason codes. Common failure reasons include expired passwords, time synchronization issues exceeding the Kerberos time skew tolerance (typically 5 minutes), disabled computer accounts, or network connectivity problems preventing proper authentication handshakes.

This event is particularly important for monitoring automated systems, service accounts running as LocalSystem, and scheduled tasks that depend on computer account authentication. In enterprise environments, patterns of 4766 events can indicate broader infrastructure issues affecting multiple systems simultaneously.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Computer account password mismatch between local machine and domain controller
  • Time synchronization issues exceeding Kerberos tolerance (typically 5+ minutes)
  • Disabled or deleted computer account in Active Directory
  • Network connectivity issues preventing authentication with domain controllers
  • DNS resolution problems preventing location of domain controllers
  • Corrupted Local Security Authority (LSA) secrets database
  • Domain controller unavailability or overload during authentication attempts
  • Firewall blocking required authentication ports (88 for Kerberos, 389 for LDAP)
  • Trust relationship failures between computer and domain
  • Group Policy preventing computer account authentication
Resolution Methods

Troubleshooting Steps

01

Check Event Details and Time Synchronization

Start by examining the specific failure details and verifying time synchronization:

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4766 using this PowerShell command:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4766} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  1. Check the failure reason in the event details, particularly the Status and Sub Status codes
  2. Verify time synchronization with the domain:
w32tm /query /status
w32tm /resync /rediscover
  1. Compare local time with domain controller time:
net time \domaincontroller.domain.com
Pro tip: Status code 0xC000006A typically indicates wrong password, while 0xC0000071 indicates expired password.
02

Reset Computer Account Password

Reset the machine account password to resolve authentication mismatches:

  1. Test the current secure channel status:
Test-ComputerSecureChannel -Verbose
  1. If the test fails, reset the computer account password:
Reset-ComputerMachinePassword -Credential (Get-Credential)
  1. Alternatively, use the traditional netdom command:
netdom resetpwd /server:domaincontroller.domain.com /userd:domain\administrator /passwordd:*
  1. Restart the computer to ensure the new password is properly applied
  2. Verify the secure channel is working:
Test-ComputerSecureChannel -Repair -Credential (Get-Credential)
Warning: Resetting the computer account password may temporarily disrupt services running under the LocalSystem account.
03

Verify Domain Controller Connectivity and DNS

Diagnose network and DNS issues affecting domain authentication:

  1. Test connectivity to domain controllers:
nltest /dsgetdc:domain.com
nltest /sc_query:domain.com
  1. Verify DNS resolution for domain controllers:
nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.com
Resolve-DnsName -Name domain.com -Type A
  1. Test authentication ports connectivity:
Test-NetConnection -ComputerName domaincontroller.domain.com -Port 88
Test-NetConnection -ComputerName domaincontroller.domain.com -Port 389
Test-NetConnection -ComputerName domaincontroller.domain.com -Port 636
  1. Check the domain controller's event logs for corresponding authentication failures
  2. Flush DNS cache and re-register with DNS:
ipconfig /flushdns
ipconfig /registerdns
04

Rejoin Computer to Domain

If other methods fail, rejoin the computer to the domain:

  1. Remove the computer from the domain (requires domain admin credentials):
Remove-Computer -UnjoinDomainCredential (Get-Credential) -Restart
  1. After restart, verify the computer is in workgroup mode:
Get-ComputerInfo | Select-Object CsDomain, CsWorkgroup
  1. Clean up any remaining domain references in the registry:
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History" -Name * -Force -ErrorAction SilentlyContinue
  1. Rejoin the computer to the domain:
Add-Computer -DomainName domain.com -Credential (Get-Credential) -Restart
  1. After restart, verify domain membership and test secure channel:
Test-ComputerSecureChannel -Verbose
Warning: Rejoining the domain will reset all local group memberships and may affect installed software that relies on domain SIDs.
05

Advanced Troubleshooting with Kerberos Logging

Enable detailed Kerberos logging for advanced authentication troubleshooting:

  1. Enable Kerberos event logging in the registry:
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" -Name "LogLevel" -Value 1 -PropertyType DWord -Force
  1. Enable security audit logging for detailed authentication events:
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable
  1. Monitor the System log for Kerberos events (Event IDs 3, 4, 11):
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-Kerberos-Key-Distribution-Center'} -MaxEvents 50
  1. Use network packet capture to analyze authentication traffic:
netsh trace start capture=yes provider=Microsoft-Windows-Kerberos-Key-Distribution-Center level=5 keywords=0xffffffffffffffff
  1. After reproducing the issue, stop the trace and analyze:
netsh trace stop
  1. Disable Kerberos logging after troubleshooting:
Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" -Name "LogLevel" -Force

Overview

Event ID 4766 fires when a computer account fails to authenticate with a domain controller during machine authentication processes. This security audit event appears in the Security log when Windows attempts to establish a secure channel between a domain-joined computer and the domain controller, but the authentication fails.

The event typically occurs during system startup, scheduled tasks running under computer accounts, or when services attempt to authenticate using the machine account. Unlike user authentication failures, computer account authentication failures can indicate more serious issues with domain trust relationships, time synchronization problems, or corrupted computer account passwords.

This event is part of Windows Advanced Audit Policy Configuration and only appears when 'Audit Logon' or 'Audit Account Logon' policies are enabled. The event provides crucial information for diagnosing domain connectivity issues, identifying potential security threats, and troubleshooting automated processes that rely on computer account authentication.

Frequently Asked Questions

What does Event ID 4766 mean and when does it occur?+
Event ID 4766 indicates that a computer account failed to authenticate with a domain controller. This event occurs when a domain-joined machine attempts to establish or maintain its secure channel with the domain but fails during the authentication process. Common scenarios include system startup, scheduled tasks running under the computer account, or services attempting to authenticate using machine credentials. The event is logged in the Security log when audit policies for logon events are enabled.
How often do computer account passwords change and why do they fail?+
Computer account passwords automatically change every 30 days by default, managed by the Local Security Authority (LSA). Authentication failures typically occur when there's a mismatch between the password stored locally on the machine and the password recorded in Active Directory. This can happen due to replication delays, time synchronization issues, network interruptions during password changes, or if the computer account becomes disabled or deleted in Active Directory.
What are the most common status codes associated with Event ID 4766?+
The most common status codes include: 0xC000006A (wrong password), indicating a password mismatch between local machine and domain controller; 0xC0000071 (expired password), showing the computer account password has expired; 0xC0000234 (account locked out), indicating the computer account is disabled; and 0xC000006D (logon failure), which can indicate various authentication issues including time synchronization problems or network connectivity issues.
Can Event ID 4766 indicate a security threat or attack?+
While Event ID 4766 is typically caused by legitimate technical issues, it can sometimes indicate security threats. Attackers might attempt to use compromised computer accounts for lateral movement or privilege escalation. Unusual patterns such as authentication attempts from unexpected locations, multiple rapid failures from the same computer, or failures occurring outside normal business hours should be investigated. However, the majority of 4766 events are caused by infrastructure issues rather than malicious activity.
How can I prevent Event ID 4766 from recurring in my environment?+
Prevent recurring 4766 events by maintaining proper time synchronization across all domain members using NTP configuration, ensuring reliable network connectivity between computers and domain controllers, monitoring domain controller health and availability, implementing proper DNS configuration and redundancy, and regularly checking for disabled or orphaned computer accounts in Active Directory. Additionally, ensure that Group Policy settings don't interfere with computer account authentication and maintain adequate domain controller capacity to handle authentication loads during peak times.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events and configurationhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Active Directory Authentication and Logon EventsOfficial documentation on monitoring Active Directory authentication eventshttps://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4766#security-auditing#domain-authentication

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...