Status and Sub Status Code:
Log Sample:
| status and sub_status_code | description |
| 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | user name does not exist |
| 0xC000006A | user name is correct but the password is wrong |
| 0XC000006D | This is either due to a bad username or authentication information |
| 0XC000006E | Unknown user name or bad password. |
| 0xC000006F | user tried to logon outside his day of week or time of day restrictions |
| 0xC0000070 | workstation restriction or Authentication Policy Silo violation (look for event ID 4820 on domain controller) |
| 0xC0000071 | expired password |
| 0xC0000072 | account is currently disabled |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0xC0000133 | clocks between DC and other computer too far out of sync |
| 0xc000015b | The user has not been granted the requested logon type (aka logon right) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | An attempt was made to logon but the netlogon service was not started. |
| 0XC0000193 | account expiration |
| 0XC0000224 | user is required to change password at next logon |
| 0xC0000225 | evidently a bug in Windows and not a risk |
| 0xC0000234 | user is currently locked out |
| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
{
"EventTime": "2017/08/25 14:09:12"
"Hostname": "CIVDCS-ADC1.changeme.com"
"Keywords": -9218868437227405312
"EventType": "AUDIT_FAILURE"
"SeverityValue": 4
"Severity": "ERROR"
"EventID": 4625
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 12544
"OpcodeValue": 0
"RecordNumber": 56611365
"ProcessID": 528
"ThreadID": 4672
"Channel": "Security"
"Message": "An account failed to log on."
"Category": "Logon"
"Opcode": "Info"
"SubjectUserSid": "S-1-0-0"
"SubjectUserName": "-"
"SubjectDomainName": "-"
"SubjectLogonId": "0x0"
"TargetUserSid": "S-1-0-0"
"TargetUserName": "MININT-UP26I95$"
"TargetDomainName": "changeme"
"Status": "0xc000006d"
"FailureReason": "%%2313"
"SubStatus": "0xc000006a"
"LogonType": "3"
"LogonProcessName": "NtLmSsp "
"AuthenticationPackageName": "NTLM"
"WorkstationName": "MININT-UP26I95"
"TransmittedServices": "-"
"LmPackageName": "-"
"KeyLength": "0"
"ProcessName": "-"
"IpAddress": "172.23.130.64"
"IpPort": "65284"
"EventReceivedTime": "2017/08/25 14:09:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}
Failure Reason:
| %%2305 | The specified user account has expired. |
| %%2309 | The specified account's password has expired. |
| %%2310 | Account currently disabled. |
| %%2311 | Account logon time restriction violation. |
| %%2312 | User not allowed to logon at this computer. |
| %%2313 | Unknown user name or bad password. |
Greetings,
ReplyDeleteThanks!
Can you post the reference for this information? MS DOcs?
2304,"An Error occured during Logon."
ReplyDelete2305,"The specified user account has expired."
2306,"The NetLogon component is not active."
2307,"Account locked out."
2308,"The user has not been granted the requested logon type at this machine."
2309,"The specified account's password has expired."
2310,"Account currently disabled."
2311,"Account logon time restriction violation."
2312,"User not allowed to logon at this computer."
2313,"Unknown user name or bad password."
2314,"Domain sid inconsistent."
2315,"Smartcard logon is required and was not used."
how do you find the source of account lock? Which machine and application has locked the account?
ReplyDelete