Windows Security Log Event ID 681
| Operating Systems |
Windows Server 2000
Windows 2003 and XP
|
|
Category | Account Logon |
|
Type
|
Failure
|
Corresponding events
in Windows
2008
and Vista |
4776
|
681: The logon to account: %2 by: %1 from workstation: %3 failed.
On this page
This event varies depending on the OS.
Win2000
If an NTLM authentication request fails for any reason, W2k logs event ID 681.
Error code provides the reason for the failure.
|
Error Code
|
Error Description
|
|
Decimal
|
Hex-
adecimal
|
|
3221225572
|
C0000064
|
user name does not exist
|
|
3221225578
|
C000006A
|
user name is correct but the password is wrong
|
|
3221226036
|
C0000234
|
user is currently locked out
|
|
3221225586
|
C0000072
|
account is currently disabled
|
|
3221225583
|
C000006F
|
user tried to logon outside his day of week or time of day restrictions
|
|
3221225584
|
C0000070
|
workstation restriction
|
|
3221225875
|
C0000193
|
account expiration
|
|
3221225585
|
C0000071
|
expired password
|
|
3221226020
|
C0000224
|
user is required to change password at next logon
|
| 3221226021 |
C0000225 |
evidently a bug in Windows and not a risk |
Win2003
This event does not get logged by Windows Server 2003 despite MS documentation. It is replaced by
680 type Failure Audit.
In Windows Server 2003 Microsoft eliminated event ID 681 and instead uses event ID
680 for both successful and failed NTLM authentication attempts. So on Windows Server 2003 don't look for event ID 681 and be sure to take into account the success/failure status of occurrences of event ID
680.
Free Security Log Resources by Randy
- The logon to account: %2
- by: %1
- from workstation: %3
- failed. The error code was: %4
Supercharger Free Edition
Supercharger's built-in Xpath filters leave the noise behind.
Free.