Audit Credential Validation

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This security policy setting determines whether the operating system generates audit events on credentials submitted for a user account logon request.

These events occur on the computer that is authoritative for the credentials:

  • For domain accounts, the domain controller is authoritative.

  • For local accounts, the local computer is authoritative.

Event volume: High on domain controllers

Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon/Logoff events.

Default: Not configured

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID Event message


An account was mapped for logon.


An account could not be mapped for logon.


The domain controller attempted to validate the credentials for an account.


The domain controller failed to validate the credentials for an account.