Hello,
Thank you so much for posting here.
This event generates every time that a credential validation occurs using NTLM authentication. It shows successful and unsuccessful credential validation attempts.
We would like to recheck whether there is any event 4740 reporting of any account lockouts near to the event 4776?
Through the 4776 event log, we can obtain the source workstation address, log in to the computer and refer to the below steps to check:
• Check the credential management to see if there are cached user’s old credentials
• Check if you have used the wrong password to mount the network disk
• Check whether the user has used the wrong password to start services, run scheduled tasks, etc.
• Are there other third-party programs that cache the user's wrong password
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.