diff --git a/changelogs/fragments/win_user-logon-err.yaml b/changelogs/fragments/win_user-logon-err.yaml
new file mode 100644
index 00000000000..6f4ec24ec07
--- /dev/null
+++ b/changelogs/fragments/win_user-logon-err.yaml
@@ -0,0 +1,2 @@
+bugfixes:
+- win_user - Get proper error code when failing to validate the user's credentials
diff --git a/lib/ansible/modules/windows/win_user.ps1 b/lib/ansible/modules/windows/win_user.ps1
index 9de02fc3160..04381311db7 100644
--- a/lib/ansible/modules/windows/win_user.ps1
+++ b/lib/ansible/modules/windows/win_user.ps1
@@ -73,14 +73,19 @@ namespace Ansible
     $env:TMP = $original_tmp
 
     $handle = [IntPtr]::Zero
-    $logon_res = [Ansible.WinUserPInvoke]::LogonUser($Username, $null, $Password,
-        $LOGON32_LOGON_NETWORK, $LOGON32_PROVIDER_DEFAULT, [Ref]$handle)
+    $logon_res = [Ansible.WinUserPInvoke]::LogonUser(
+        $Username,
+        $null,
+        $Password,
+        $LOGON32_LOGON_NETWORK,
+        $LOGON32_PROVIDER_DEFAULT,
+        [Ref]$handle
+    ); $err_code = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
 
     if ($logon_res) {
         $valid_credentials = $true
         [Ansible.WinUserPInvoke]::CloseHandle($handle) > $null
     } else {
-        $err_code = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
         # following errors indicate the creds are correct but the user was
         # unable to log on for other reasons, which we don't care about
         $success_codes = @(