Description of Security Event 681

This article was previously published under Q273499
This article has been archived. It is offered "as is" and will no longer be updated.
When you try to audit logon events on a Windows 2000-based domain controller (DC) and a failed logon attempt is made from a down-level client or through a trust with a down-level domain, a "Failure Audit" event with an event ID of 681 may be logged in the Security Event log. Note that the source of the event is "Security". This article contains descriptions of the various error codes that are listed in the event description.
Note that the error codes in the Event Log message are in decimal form, but they are actually hexadecimal values. You can translate the values from decimal to hexadecimal by using the Calculator tool in Windows 2000, or by viewing the following table. The most common error codes you may receive are defined in the following table:

Error CodeHexadecimal Value Error CodeCause
3221225572C0000064User logon with misspelled or bad user account
3221225578C000006AUser logon with misspelled or bad password
3221225581C000006DUser logon has incorrect user name
3221225583C000006FUser logon outside authorized hours
3221225584C0000070User logon from unauthorized workstation
3221225585C0000071User logon with expired password
3221225586C0000072User logon to account disabled by administrator
3221225875C0000193User logon with expired account
3221226020C0000224User logon with "Change Password at Next Logon" flagged
3221226036C0000234User logon with account locked

Article ID: 273499 - Last Review: 12/05/2015 21:43:36 - Revision: 3.2

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server

  • kbnosurvey kbarchive kbinfo KB273499