UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 644 - User Account Locked Out

Account Locked Out -- Caller User Name

pittdaydreamer — Wed, 01 Feb 2012 23:56:49 GMT

I'm a novice with Windows logs, so I'm a bit confused what it means when the caller user name ends with a dollar ($) sign. I believe this is a machine account, correct? Does this simply indicate some action has taken part on behalf of the user via a machine account? I notice that in all of the Account Locked Out events (644), the Caller User Name always appears to end in a dollar sign.

Thanks!

Security:644 - User Account Locked Out

econnor — Tue, 06 Sep 2011 16:02:49 GMT

Our Domain Policy states an account lockout occurs after 3 consecutive lockouts. I had a question, Would I see three "Pre-authentication failed" Security:675 and then the "User Account Locked Out" Security:644 or would I see two Security 675 and then the third would be the 644???

644 - Failures

pwstoecker — Thu, 28 Apr 2011 15:10:52 GMT

In the Encyclopedia it says that 644 can have Success or Failure. When would we see a Failure of the account getting locked because of too many failed logins?

Event ID 644 lockouts

iannotr — Tue, 09 Nov 2010 12:01:46 GMT

I have a user whose AD account keeps getting locked out almost daily for about the past month or so. We use NetIQ for log management. I ran a forensic query against this user for that time period. It shows Event ID 644 occured several times. I am trying to understand the Event ID 644 in more detail. The report shows details of the event. I am trying to identify what system (workstation or server) may be causing the lockout with the users account. I suspect there may be a drive attempting to get mapped or maybe a script/program running with this users account. The 644 details show the Caller Machine Name and Caller User Name.

Can you define in more detail the definition of these parameters and how they might relate to this user's account that keeps getting a lockout?

Thank you for providing your expert knowledege in this matter.

Ray :)

Details of User ID Locked Out in particular Time Window

nageshlad — Wed, 28 Apr 2010 22:36:35 GMT

Hi All,

I want to identify which User ID got locked out during any given time frame. I am getting lots of events for Event ID 539 but not able to decide when any particular User ID got locked out very first time.

Also need to help to understand difference between Event ID 539 & 644.

Looking for help. Thanks in advanced.

Thanks & Regards,
Nagesh Lad

Local Account Locked Out

ronbo — Mon, 03 May 2010 11:02:41 GMT

For an event 644/4740, is the local account that is locked out the Calling Computer, or the computer that the event is logged on? My understanding is the logon attempt is made from the Calling Computer to the Logging Computer using a local account on the Logging Computer, but just needed to confirm.

Lots of 644 for user Administrator - unusual

DarqAngels — Fri, 05 Jun 2009 09:42:45 GMT

Hello,
We have been experiencing an issue for sometime and it always comes back to this. We are using RSA enVision to track our logs and when I run a report against event ID 644 to see if we have failures for the day we always see a few hundred (in the morning) for administrator, by end of day its in the thousands.

However here is what the errors look like.

User Administrator
Device address: 172.x.x.x
Workstation: generally seems to be the same workstations lets call it MON0100
logon type = 0
Reason= blank
calling_address = blank
calling_username = DOM0100$ (DOM0100 is our primary domain controller)

so the strange thing i am seeing is that we get these messages several hundred to thousand times a day and the calling username changes to various domain controllers throughout the day. When the error is reported from a workstation on a diffrent forest it will be calling address from that domain controller.
Does anyone have any idea why this is happening?
Thank you soooooo much in advance for any help at all!
-Dan