User Account Locked Out: Target Account Name: %1 Target Account ID: %3 Caller Machine Name: %2 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6

Details
Product: Windows Operating System
Event ID: 644
Source: Security
Version: 5.2
Symbolic Name: SE_AUDITID_ACCOUNT_AUTO_LOCKED
Message: User Account Locked Out:
Target Account Name: %1
Target Account ID: %3
Caller Machine Name: %2
Caller User Name: %4
Caller Domain: %5
Caller Logon ID: %6
   
Explanation

A user account was locked out. An account is locked out when a specified number of unsuccessful logon attempts occur over a specified time period.

Unsuccessful logon attempts might indicate that the user forgot the password. However, they can also indicate password guessing by an unauthorized user or a denial of service attack against your network.

The account can be locked out for a set time period or until an administrator manually unlocks it.

   
User Action

Immediately analyze the Security section of Event Viewer to determine whether this is an attack against your network. Look for Security 529 through Security 537 messages appearing immediately before the Security 644 message. If these messages appear frequently during a short time period (for example, several attempts per second), they can indicate that an attacker is rapidly trying numerous passwords until logon is successful or the account is locked out.

If Event Viewer shows an attack pattern, identify the source of the attack from the information that is provided in the messages and follow your security policy to mitigate the threat.

Related:

Leave a Reply