Substatus Codes

Event ID 4776 is generated when the domain controller attempts to validate a user's credentials during a logon attempt. This event is particularly associated with the use of NTLM authentication. Understanding the substatus codes that accompany this event is crucial for diagnosing authentication issues and identifying potential security concerns. Here is an in-depth look at common substatus codes for Event ID 4776, providing insights into what each code indicates.

Common Substatus Codes for Event ID 4776

0xC0000064: The specified user does not exist. This code indicates that the username entered does not match any account in the domain.
0xC000006A: User name is correct, but the password is wrong. This signifies an incorrect password was entered for the username.
0xC000006C: Password policy not met. This code appears when the password does not meet the domain's password policy (complexity, length, history, etc.).
0xC000006D: This is a generic logon failure code that indicates the attempted logon is invalid due to a bad username or authentication information.
0xC000006E: User account restriction has prevented successful logon. This could be due to logon hours restrictions, disabled account, or another policy setting.
0xC000006F: User logon with expired password. The user's password has expired, and they are attempting to log on with that expired password.
0xC0000070: Restricted workstation. The user is trying to log on to a workstation for which they do not have permissions.
0xC0000071: Password expired. The user's password has expired, requiring a password change.
0xC0000072: Account disabled. The account being used for the logon attempt has been disabled.
0xC0000133: Clocks between the client and server machines are skewed. This indicates a significant time difference between the client's and server's clocks, which can prevent authentication.
0xC000015B: The user has not been granted the requested logon type at this machine. This means the user is attempting to log on with a type that hasn't been granted (e.g., interactive, network).
0xC000018C: The logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0xC0000192: An attempt was made to logon, but the Netlogon service was not started. This code is seen when the Netlogon service is not running on the server processing the request.
0xC0000193: Account expiration. The account used for logon has expired according to its account expiration policy.
0xC0000224: User must change password at next logon. This typically requires the user to log on interactively and change their password.
0xC0000234: The user's account is locked out. This occurs after multiple failed logon attempts due to incorrect passwords.

Previous4776 - Kerberos Authentication Attempt Next4771 - Kerberos Failure

Last updated 1 year ago

Was this helpful?

Substatus Codes

Common Substatus Codes for Event ID 4776

0xC0000064: The specified user does not exist. This code indicates that the username entered does not match any account in the domain.
0xC000006A: User name is correct, but the password is wrong. This signifies an incorrect password was entered for the username.
0xC000006C: Password policy not met. This code appears when the password does not meet the domain's password policy (complexity, length, history, etc.).
0xC000006D: This is a generic logon failure code that indicates the attempted logon is invalid due to a bad username or authentication information.
0xC000006E: User account restriction has prevented successful logon. This could be due to logon hours restrictions, disabled account, or another policy setting.
0xC000006F: User logon with expired password. The user's password has expired, and they are attempting to log on with that expired password.
0xC0000070: Restricted workstation. The user is trying to log on to a workstation for which they do not have permissions.
0xC0000071: Password expired. The user's password has expired, requiring a password change.
0xC0000072: Account disabled. The account being used for the logon attempt has been disabled.
0xC0000133: Clocks between the client and server machines are skewed. This indicates a significant time difference between the client's and server's clocks, which can prevent authentication.
0xC000015B: The user has not been granted the requested logon type at this machine. This means the user is attempting to log on with a type that hasn't been granted (e.g., interactive, network).
0xC000018C: The logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0xC0000192: An attempt was made to logon, but the Netlogon service was not started. This code is seen when the Netlogon service is not running on the server processing the request.
0xC0000193: Account expiration. The account used for logon has expired according to its account expiration policy.
0xC0000224: User must change password at next logon. This typically requires the user to log on interactively and change their password.
0xC0000234: The user's account is locked out. This occurs after multiple failed logon attempts due to incorrect passwords.

Previous4776 - Kerberos Authentication Attempt Next4771 - Kerberos Failure

Last updated 1 year ago

Was this helpful?