Event ID 539 – Logon Failure: Account Locked Out
|Description||Logon failure – Account locked out|
Event 539 is generated when a user tries to log on to the system with an account that is locked out, and thus faces logon failure. This is different from event 644, which is the event where the account actually gets locked.
This log data provides the following information:
- User Name
- Logon Type
- Logon Process
- Authentication Package
- Workstation Name
Additionally, in Windows Server 2003, the following information is also made available:
- Caller User Name
- Caller Domain
- Caller Logon ID
- Caller Process ID
- Transited Services
- Source Network Address
- Source Port
Why does event ID 539 need to be monitored?
- To detect brute-force, dictionary, and other password guess attacks
- To detect abnormal and possibly malicious internal activity
- To come up with a benchmark for the account lockout threshold policy
- To ensure compliance with regulatory mandates
With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus tracks logon failures, helping you meet your security, operational, and compliance needs with absolute ease.
Event 539 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4625.