RE: Logon audit



In this case 680 is an NTLM v1 Logon failure, the status code from
ntstatus.h on an XP Pro box indicates-


# for hex 0xc000006e / decimal -1073741714 :
STATUS_ACCOUNT_RESTRICTION
# Indicates a referenced user name and authentication
# information are valid, but some user account restriction
# has prevented successful authentication (such as
# time-of-day restrictions).

This can also be caused by user right (or privilege) restrictions IIRC,
such as a user trying to logon locally (or over the network) that does
not have that right or has it denied, "Access this computer from the
network" right is denied, that kind of thing.

hth


-----Original Message-----
From: nemanja.janic@xxxxxxxxx [mailto:nemanja.janic@xxxxxxxxx]
Sent: Friday, June 09, 2006 12:02 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Logon audit

Hello list,

i need some help with interpreting what i see. I have Logon Failure
Audit turned on on several machines in my system (all Win XP pro), and i
keep getting this:

"

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account: <username>

Source Workstation: <stationname>

Error Code: 0xC000006E


Type stated is Failure Audit, Event ID is 680.

"


Username and workstation vary from machine to machine.


Now my question is, what is that Event ID680? I am sure that no users
are trying to logon to mentioned machines, and that there is no
shared-folder accessing going on. I tried to find answers all over the
web, but to no avail as of yet.

Is is a worm/virus of some sort? Or another win intricacy?

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: You are not authorized to view this page
    ... AUTHORITY\SYSTEM BAY18 "Logon Failure: ... Logon Process: Kerberos ... Caller User Name: - ...
    (microsoft.public.inetserver.iis.security)
  • Re: MSExchangeSA errors
    ... Well of course there are logon failures on the exchange server, ... > Please check if there are some Logon Failure auditing events in the ... > in the Local Computer Policy or the Default Domain Policy. ...
    (microsoft.public.exchange.admin)
  • Re: MSExchangeSA errors
    ... Well of course there are logon failures on the exchange server, ... Please check if there are some Logon Failure auditing events in the ... The user has not been granted the requested logon type at this ...
    (microsoft.public.exchange.admin)
  • Re: event IDs 681, 529 and error code 3221225572
    ... context of the log) and say "That's a hacker". ... When examining logon failures, go to the workstation that is generating ... > the "Account Logon" ... > I receive dozens logon failure audits per day about logon ...
    (microsoft.public.win2000.security)
  • Re: Logon Process contains garbled characters
    ... I would not consider the server compromised because they are logon failures. ... for compromise. ... AUTHORITY\SYSTEM Logon Failure: Reason: An error occurred during ...
    (microsoft.public.win2000.security)