This article was previously published under Q273499
This article has been archived. It is offered "as is" and will no longer be updated.
When you try to audit logon events on a Windows 2000-based domain controller (DC) and a failed logon attempt is made from a down-level client or through a trust with a down-level domain, a "Failure Audit" event with an event ID of 681 may be logged in the Security Event log. Note that the source of the event is "Security". This article contains descriptions of the various error codes that are listed in the event description.
Note that the error codes in the Event Log message are in decimal form, but they are actually hexadecimal values. You can translate the values from decimal to hexadecimal by using the Calculator tool in Windows 2000, or by viewing the following table. The most common error codes you may receive are defined in the following table:
Hexadecimal Value Error Code
User logon with misspelled or bad user account
User logon with misspelled or bad password
User logon has incorrect user name
User logon outside authorized hours
User logon from unauthorized workstation
User logon with expired password
User logon to account disabled by administrator
User logon with expired account
User logon with "Change Password at Next Logon" flagged