Security Event 681

Article ID : 273499 Last Review : September 23, 2003 Revision : 3.0

When auditing logon events on a Windows 2000-based domain controller (DC) and
a failed logon attempt is made from a down-level client or
through a trust with a down-level domain, a "Failure Audit" event with an event ID of 681 may be logged in the Security Event log, the source of the event is "Security".

Error codes in the Event Log message are shown in decimal , but they should be intrepreted as hexadecimal values.

common error codes:
Error CodeHexUser logon...
3221225572 C0000064 with misspelled or bad user account
…5578 …06A with misspelled or bad password
…5581 …06D has incorrect user name
…5583 …06F outside authorized hours
…5584 …070 from unauthorized workstation
…5585 …071 with expired password
…5586 …072 to account disabled by administrator
…5875 …193 with expired account
…6020 …224 with "Change Password at Next Logon" flagged
…6036 …234 with account locked

Keywords: 
kbinfo KB273499
previously published under Q273499
http://support.microsoft.com/kb/273499/en-us