Event-o-Pedia EventID 644 - User Account Locked Out

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 644 - User Account Locked Out

EventID 644 - User Account Locked Out

Indicates that a user account ("target account") was locked out due to the fact that the number of consecutive failed logon attempts exceeded the maximum allowed number set in the Domain Lockout Policy, or in case of local accounts - in the local lockout policy.

Note:
The account can be locked out for a set time period or until an administrator manually unlocks it.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2008

EventID 4740 - A user account was locked out

Sample:

        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Account Management
        Event ID:       644
        Date:           10/26/2009
        Time:           07:39:57
        User:           NT AUTHORITY\SYSTEM
        Computer:       DC1
        Description:
        User Account Locked Out:
        Target Account Name:	Paul
        Target Account ID:	%{S-1-5-21-184992632-1607737289-1287950321-1178}
        Caller Machine Name:	DC1
        Caller User Name:	DC1$
        Caller Domain:	RESEARCH
        Caller Logon ID:	(0x0,0x3E7)

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows 2000 Windows XP Windows 2003
Category	Account Management
Source	Security
EventId	644

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Category	A name for a subclass of events within the same Event Source.	Category	Logon/Logoff
Caller User Name	Account initiating action	InsertionString4	Alebovsky
Caller Domain	Domain of the account initiating action	InsertionString5	RESEARCH
Caller Logon ID	A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session.	InsertionString6	(0x0,0x59DF36)
Target Account Name	Name of the account on which the action is performed	InsertionString1	Paul
Target Account ID	Target Account Name in the following format: Target Domain\Target Account Name	InsertionString3	%{S-1-5-21-184992632-1607737289-1287950321-1178}
Caller Machine Name	Computer name initiating the action	InsertionString2	DC1