When a down-level client fails a logon attempt, Windows 2000 generates Event Id 681 on the Windows 2000 domain controller.
NOTE: This also happens through a trust to a down-level domain.
The source of the event is Security. These events contain error codes which I will describe.
NOTE: The error codes in the Security Event log message are displayed in decimal.
|3221225572||C0000064||User logon with misspelled or bad user account|
|3221225578||C000006A||User logon with misspelled or bad password|
|3221225583||C000006F||User logon outside authorized hours|
|3221225584||C0000070||User logon from unauthorized workstation|
|3221225585||C0000071||User logon with expired password|
|3221225586||C0000072||User logon to account disabled by administrator|
|3221225875||C0000193||User logon with expired account|
|3221226020||C0000224||User logon with "Change Password at Next Logon" flagged|
|3221226036||C0000234||User logon with account locked|