Server Security Event giving different Sub-Status code for same username.

Joomla 81 Reputation points
2022-02-17T11:12:13.56+00:00

Hi Community,

Anyone can help to tell why I am seeing two different sub-status codes for Event Code 4625 for same user account from same Computer Name.

Example: Lets say user name is pinto@gui_scavasini

Now in the Event Code 4625 I observed two different Sub-Status Codes for same user; one with 0xC0000064 which shows non-existing user account. And another one Sub-Status Code of 0xC000006A which means bad password typed by the end user. Also I can confirm that account pinto@gui_scavasini is an existing account.

Thanks in advance.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,725 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,865 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,721 Reputation points
    2022-02-17T15:48:52.383+00:00

    Hello @Joomla

    You should look at the logon type. It is usally due to a bad cached credential or a stored credential for some specific access. The one that the user introduces would be the "Interactive Logon", while other codes such as Network Logon or Service, are related to stored credentials.

    https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types

    Hope this helps with your query,

    --
    --If the reply is helpful, please Upvote and Accept as answer--


  2. Darwin Isaac Pari Gil 0 Reputation points
    2023-11-23T15:19:30.91+00:00
    Status and Sub Status Codes Description (not checked against "Failure Reason:")
    0xC0000064 user name does not exist
    0xC000006A user name is correct but the password is wrong
    0xC0000234 user is currently locked out
    0xC0000072 account is currently disabled
    0xC000006F user tried to logon outside his day of week or time of day restrictions
    0xC0000070 workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
    0xC0000193 account expiration
    0xC0000071 expired password
    0xC0000133 clocks between DC and other computer too far out of sync
    0xC0000224 user is required to change password at next logon
    0xC0000225 evidently a bug in Windows and not a risk
    0xc000015b The user has not been granted the requested logon type (aka logon right) at this machine
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.