Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 644 Source: Security

Source
Description
User Account Locked Out
Target Account Name:  <target account name>
Target Account ID: <target account id>
Caller Machine Name:  <caller computer name>
Caller User Name:  <caller user name>
Caller Domain:     <caller domain name>
Caller Logon ID:  <caller logon id>
Comments
 
As per MSW2KDB, a user account was locked out. An account is locked out when a specified number of unsuccessful logon attempts occur over a specified time period. Unsuccessful logon attempts might indicate that the user forgot the password. However, they can also indicate password guessing by an unauthorized user or a denial of service attack against your network.
The account can be locked out for a set time period or until an administrator manually unlocks it.

See ME824209 on how to use the EventCombMT utility to search the event logs of multiple computers for account lockouts.
This message may incorrectly appear in the security log, and it may not indicate that an account has been locked out because of bad logon attempts. See ME814511 for a hotfix applicable to Microsoft Windows NT Server 4.0.
Typically, this indicates that a user tried to login several times but provide the wrong password. The security policy threshold for such event being reached the account was locked out to prevent a security breach (in case someone is just trying to guess a password).
This may not be the case all time. It may happen that a service is configured to use a certain account and password and if that password is changed (without updating the service login credentials) than the service will keep trying to login using the old password thus triggering the lockout. If this happened after a recent change of a commonly used account then you should look for services that might use it.
Sometimes it may happen that certain appliations keep the passwords in their cache and try to use it after the user changed his/her domain password.

This is what information is provided (that may help in troubleshooting this event):
Target Account Name - this is the account that was the "target" of the logon attempt
Target Account ID - this is the security id of the account (or the SID) and it should look something like this: S-1-5-21-369898947-932139053-1777090905-3716
Caller Machine Name - the computer from which the logon was attempted
Caller User Name - the user that tried to do the logon
Caller Domain - from what domain was the logon tried (could be different domains)
Caller Logon ID - the logon id of the account that tried to perform the logon (this is a unique identifier that one can use to keep track of a user during a logon/logoff session).

On a Windows NT computer this may be recorded even if auditing is not enabled (see ME304693).

Also applicable to Windows NT, the ME814511 says that sometimes this event may occur even if there were no real account lockouts. A supported fix is now available from Microsoft.

As per ME182918, when users enter a series of incorrect passwords in an attempt to log on to Windows NT using domain accounts and the Bad Logon Attempts limit for the account is reached, the account is locked out at the domain controller. Windows NT generates an account lockout event on the workstation where the failed logon attempts occurred if the audit policy on that workstation enables auditing of failed logon/logoff events. However, no event is logged at the domain controller. Administrators must search the event logs of all client systems to locate the computer where the bad password attempts originated. A hotfix is available.

ME171148 indicates a method on to automate the detection of account lockouts. Also see ME174073 with tips for interpreting security auditing events related to user authentication.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...