Logon Failure: Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13

A user tried to log on to the system using an account that is locked out. A large number of these events logged in Event Viewer usually indicate that a service account password is configured incorrectly or a program password does not match the password on the server. This might be caused by a password-guessing attack against an account that has account lock out enabled, but this is highly unusual.

The User Name field specifies the account used in the logon request.

The code in the Logon Type field specifies the logon method used. The following table explains the logon type code:

The Workstation name field specifies the NetBIOS name of the remote computer that originated the logon request. If no information is displayed in this field, either a Kerberos logon attempt failed because the ticket could not be decrypted, or a non-Windows NetBIOS implementation or utility did not supply the remote computer name in the logon request.

The Caller fields specify the process that received the log on request.

The Transited Services field specifies, in order, the services or programs through which the user’s credentials were authenticated using constrained delegation.

The Source Network Address and Source Port fields specify the source IP address and source port number for the remote computer that sent the logon request.

No user action is required.