Event ID - 644

Event Id644
DescriptionUser Account Locked Out:
Target Account Name: %1
Target Account ID: %3
Caller Machine Name: %2
Caller User Name: %4
Caller Domain: %5
Caller Logon ID: %6
Event InformationCause:
An account is locked out when a specified number of unsuccessful logon attempts occur over a specified time period.

Unsuccessful logon attempts might indicate that the user forgot the password. However, they can also indicate password guessing by an unauthorized user or a denial of service attack against your network.

The account can be locked out for a set time period or until an administrator manually unlocks it.

Analyze, to determine whether this is an attack against your network. Look for Security 529 through Security 537 messages appearing immediately before the Security 644 message. If these messages appear frequently during a short time period (for example, several attempts per second), they can indicate that an attacker is rapidly trying numerous passwords until logon is successful or the account is locked out.

If an attack pattern is shown up, identify the source of the attack from the information that is provided in the messages and follow your security policy to mitigate the threat.
Reference Links"Event ID: 644" Message Even When No Accounts Have Been Locked Out Because of Bad Logon Attempts

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.