Windows Security Log Event ID 680

Operating Systems	Windows Server 2000 Windows 2003 and XP
Category	Account Logon
Type	Success Failure
Corresponding events in Windows 2008 and Vista	4776

680: Account Used for Logon by

On this page

Description of this event
Field level details
Examples
Mini-seminars on this event

This event varies depending on the OS.

Win2000

When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.

This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
The Account Used for Logon By field identifies the authentication package that processed the authentication request. Read more about Account Logon events.

Win2003

When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.

This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
Account Used for Logon By identifies the authentication package that processed the authentication request.

In Windows Server 2003 Microsoft eliminated event ID 681 and instead uses event ID 680 for both successful and failed NTLM authentication attempts. So on Windows Server 2003 don't look for event ID 681 and be sure to take into account the success/failure status of occurrences of event ID 680.

Error Code		Error Description
Decimal	Hex- adecimal	Error Description
3221225572	C0000064	user name does not exist
3221225578	C000006A	user name is correct but the password is wrong
3221226036	C0000234	user is currently locked out
3221225586	C0000072	account is currently disabled
3221225583	C000006F	user tried to logon outside his day of week or time of day restrictions
3221225584	C0000070	workstation restriction
3221225875	C0000193	account expiration
3221225585	C0000071	expired password
3221226020	C0000224	user is required to change password at next logon
3221226021	C0000225	evidently a bug in Windows and not a risk

Microsoft's Comments:

Activity already recorded by other events.

Free Security Log Resources by Randy

Description Fields in 680

Logon attempt by: %1
Logon account: %2
Source Workstation: %3
Error Code: %4

Supercharger Free Edition

Examples of 680

Win2000

Account Used for Logon by: %1
Account Name: %2
Workstation: %3

Win2003

Logon attempt by:MICROSOFT _AUTHENTICATION _PACKAGE_V1_0
Logon account:sbergman
Source Workstation:RAID
Error Code:0xC0000064

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 680

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.