Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 539 - Logon Failure - Account locked out [Win 2000 / XP]
EventID 539 - Logon Failure - Account locked out [Win 2000 / XP]
Indicates that user attempt to log on failed because a user tried to log on to the system using an account that is locked out.

Note:
A large number of these events logged in Event Viewer usually indicate that a service account password is configured incorrectly or a program password does not match the password on the server. This might be caused by a password-guessing attack against an account that has account lock out enabled, but this is highly unusual.
This event should not be confused with the actual account lockout EventID 644.
The code in the Logon Type field specifies the logon method used.
The Source Network Address and Source Port fields specify the source IP address and source port number for the remote computer that sent the logon request.
The Workstation name field specifies the NetBIOS name of the remote computer that originated the logon request. If no information is displayed in this field, either a Kerberos logon attempt failed because the ticket could not be decrypted, or a non-Windows NetBIOS implementation or utility did not supply the remote computer name in the logon request.

For explanation of the values of some fields please refer to the corresponding links below:

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:


Windows 2003
Windows 2008
 Sample:
        Event Type:     Failure Audit
        Event Source:   Security
        Event Category: Logon/Logoff
        Event ID:       539
        Date:           10/26/2009
        Time:           07:39:57
        User:           NT AUTHORITY\SYSTEM
        Computer:       DCCC1
        Description:
        Logon Failure:
        Reason:		Account locked out
        User Name:	Paul
        Domain:	LOGISTICS
        Logon Type:	2
        Logon Process:	seclogon
        Authentication Package:	Negotiate
        Workstation Name:	DCCC1
      
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows XP
Source Security
Category Logon/Logoff
EventId 539
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Domain Domain of the account for which logon is requested. InsertionString2 RESEARCH
User Name Account name of the user logging in InsertionString1 Paul
Logon Type Interactive, Network, Batch, etc. Please find the code descriptions here. InsertionString3 2
Logon Process The program executable that processed the logon. Please find full logon processes list here. InsertionString4 seclogon
Authentication Package The name of the authentication package (method) used to check user credentials (e.g. NTLM or Kerberos). Please find full authentication packages list here. InsertionString5 Negotiate
Workstation Name The NetBIOS name of the remote computer that originated the logon request InsertionString6 DCCC1
Comments
You must be logged in to comment