Event ID
Description
528
A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
529
Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
530
Logon failure. A logon attempt was made, but the user account tried to log on outside of the allowed time.
531
Logon failure. A logon attempt was made using a disabled account.
532
Logon failure. A logon attempt was made using an expired account.
533
Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.
534
Logon failure. The user attempted to log on with a type that is not allowed.
535
Logon failure. The password for the specified account has expired.
536
Logon failure. The Netlogon service is not active.
537
Logon failure. The logon attempt failed for other reasons.
Note
In some cases, the reason for the logon failure may not be known.
538
The logoff process was completed for a user.
539
Logon failure. The account was locked out at the time the logon attempt was made.
540
A user successfully logged on to a network.
541
Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.
542
A data channel was terminated.
543
Main mode was terminated.
Note
This might occur as a result of the time limit on the security association expiring, policy changes, or peer termination. (The default expiration time for security associations is eight hours.)
544
Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.
545
Main mode authentication failed because of a Kerberos failure or a password that is not valid.
546
IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.
547
A failure occurred during an IKE handshake.
548
Logon failure. The security identifier (SID) from a trusted domain does not match the account domain SID of the client.
549
Logon failure. All SIDs that correspond to untrusted namespaces were filtered out during an authentication across forests.
550
A denial-of-service attack may have taken place.
551
A user initiated the logoff process.
552
A user successfully logged on to a computer using explicit credentials while already logged on as a different user.
672
An authentication service (AS) ticket was successfully issued and validated.
673
A ticket-granting service (TGS) ticket was granted.
674
A security principal renewed an AS ticket or TGS ticket.
675
Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
676
Authentication ticket request failed. This event is not generated in Windows XP or in the Windows Server 2003 family.
677
A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family.
678
An account was successfully mapped to a domain account.
681
Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family.
682
A user has reconnected to a disconnected terminal server session.
683
A user disconnected a terminal server session without logging off.
Note
This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.
Netlogon Logon Types
When many Netlogon logon events are logged, a logon type is also listed in the event details. The following table describes each logon type.
Table 5 Netlogon Logon Types
Logon type
Logon title
Description
2
Interactive
A user logged on to this computer.
3
Network
A user or computer logged on to this computer from the network.
4
Batch
The batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5
Service
A service was started by the Service Control Manager.
7
Unlock
This workstation was unlocked.
8
NetworkCleartext
A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9
NewCredentials
A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10
RemoteInteractive
A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11
CachedInteractive
A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.