Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13

Details
Product: Windows Operating System
Event ID: 532
Source: Security
Version: 5.0
Symbolic Name: SE_AUDITID_ACCOUNT_EXPIRED
Message: Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13
   
Explanation

The logon attempt failed because the user account has expired. This restriction is configured on the user’s account on the local computer or on the domain.

  • The code in the Logon Type field specifies the logon method used. The following table explains the logon type code:
Logon Type
Logon Title
Description
2 Interactive A user logged on to this computer at the console.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user’s direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This computer was unlocked.
8 NetworkCleartext A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication.
9 NewCredentials A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
  • The Authentication Package field values are specified in the following table:
Authentication Package
Description
MSV1_0 and Microsoft_Authentication_Package_MV_1 Both refer to the MSV1_0 authentication package in the NTLM SSP (Security Support provider), which supports the NTLMv2, NTLM, and LM authentication protocols and local SAM lookups.
Kerberos Refers to the Kerberos authentication package in the Kerberos SSP, which supports the Kerberos protocol.
  • The Workstation name field specifies the NetBIOS name of the remote computer that originated the logon request. If no information is displayed in this field, either a Kerberos logon attempt failed because the ticket could not be decrypted, or a non-Windows NetBIOS implementation or utility did not supply the remote computer name in the logon request.
  • The Caller fields specify the process that received the logon request.
  • The Transited Services field specifies the services or programs in order through which the user’s credentials have been authenticated by using constrained delegation.
  • The Source Network Address and Source Port fields specify the source IP address and source port number for the remote computer that sent the logon request.
   
User Action

No user action is required.

Related:

Leave a Reply