Each error message includes a code and a context number. For example:
Consider the following error message:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772]
It can be decoded using the data part of the message.
Invalid credentials imply that the user ID or password is incorrect.
The following sample error codes are subject to change by Microsoft or its agents:
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0x525 - user not found
DEC: 1317 - ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e - invalid credentials
DEC: 1326 - ERROR_LOGON_FAILURE (Log on failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
80090308: LdapErr:DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893
HEX: 0x530 - not permitted to log on at this time
DEC: 1328 - ERROR_INVALID_LOGON_HOURS (Log on failure: account log on time restriction violation.)
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0x531 - not permitted to log on from this workstation
DEC: 1329 - ERROR_INVALID_WORKSTATION (Log on failure: user not allowed to log on to this computer.)
LDAP[userWorkstations:,multivalued list of workstation names>]
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893
HEX: 0x532 - password expired
DEC: 1330 - ERROR_PASSWORD_EXPIRED (Log on failure: the specified account password has expired.)
LDAP[userAccountControl:<bitmask=0x00800000>] - PASSWORDEXPIRED
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893
HEX: 0x533 - account disabled
DEC: 1331 - ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.)
LDAP[userAccountControl:<bitmask=0x00000002>] ACCOUNTDISABLE
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893
HEX: 0x701 - account expired
DEC: 1793 - ERROR_ACCOUNT_EXPIRED (The user's account has expired.)
LDAP[accountExpires:<value of -1, 0, or extremely large value indicates account will not expire>] - ACCOUNTEXPIRED
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID 0C09030B, comment: AcceptSecurityContext error, data 773, v893
HEX: 0x773 - user must reset password
DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be changed before logging on the first time.)
LDAP[pwdLastSet:<value of 0 indicates admin-required password change>] - MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893
HEX: 0x775 - account locked out
DEC: 1909 - ERROR_ACCOUNT_LOCKED_OUT (the referenced account is currently locked out and may not be logged on to.)
LDAP[userAccountControl:<bitmask=0x00000010>] - LOCKOUT
NOTE: Returns even if invalid password is presented