with some more digging I found users using a combination of 672/673, so I'm getting confused. If a 680 failure event is what I'm using to say why a user did not get signed on, why wouldn't I use the successful to validate them getting on the LAN?
I'm using 2003 and some 2008 DC's what should I be doing?
680 is an NTLM event. 672 is Kerberos. Windows can use either of these.