Windows Security Log Event ID 680

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryAccount Logon
Type Success
Failure
Corresponding events
in Windows 2008
and Vista
4776  
Discussions on Event ID 680
Windows 680 error
Continuous 680 events with Administrator account no source
logon to the LaN
Duplicate Events
Security 680 Audit Failure 9 \SYSTEM MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 vmachine$ \\srcmachine 0xC0000199

680: Account Used for Logon by

On this page

This event varies depending on the OS.

Win2000

When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.

This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
The Account Used for Logon By field identifies the authentication package that processed the authentication request. Read more about Account Logon events.

Win2003

When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.

This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
Account Used for Logon By identifies the authentication package that processed the authentication request.

In Windows Server 2003 Microsoft eliminated event ID 681 and instead uses event ID 680 for both successful and failed NTLM authentication attempts. So on Windows Server 2003 don't look for event ID 681 and be sure to take into account the success/failure status of occurrences of event ID 680.

Error Code
Error Description
Decimal
Hex-
adecimal
3221225572
C0000064
user name does not exist
3221225578
C000006A
user name is correct but the password is wrong
3221226036
C0000234
user is currently locked out
3221225586
C0000072
account is currently disabled
3221225583
C000006F
user tried to logon outside his day of week or time of day restrictions
3221225584
C0000070
workstation restriction
3221225875
C0000193
account expiration
3221225585
C0000071
expired password
3221226020
C0000224
user is required to change password at next logon
3221226021 C0000225 evidently a bug in Windows and not a risk

Microsoft's Comments:

Activity already recorded by other events.

Free Security Log Resources by Randy

Description Fields in 680

  • Logon attempt by: %1
  • Logon account: %2
  • Source Workstation: %3
  • Error Code: %4

Supercharger Free Edition


Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 680

Win2000

Account Used for Logon by: %1
Account Name: %2
Workstation: %3

Win2003

Logon attempt by:MICROSOFT _AUTHENTICATION _PACKAGE_V1_0
Logon account:sbergman
Source Workstation:RAID
Error Code:0xC0000064

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources