Monday, 4 November 2013

Event ID 4740 - A user account was locked out

  In this article I am going to explain about the Active Directory user account locked out event 4740. It also includes the steps to enable event 4740 and disable 4740 account locked out event. This event comes under the Account Management category/User Account Management subcategory of Security Audit. Equivalent event of 4740 in server 2003/xp based machine is 644.

NextTrack root cause of AD Account Lockout

Summary:

  1. Event 4740 Example source
  2. How to enable 4740 event through Default Domain Controllers Group Policy
  3. How to enable 4740 Account locked out event via Auditpol
  4. How to disable/stop 4740 Account locked out event

Event 4740 Example source

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          31/10/2013 5:02:05 PM
Event ID:      4740
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      myServer.myDomain.com
Description:
A user account was locked out.

Subject:
 Security ID:  SYSTEM
 Account Name:  myServer$
 Account Domain:  myDomain
 Logon ID:  0x3e7

Account That Was Locked Out:
 Security ID:  myDomain\testuser
 Account Name:  testUser

Additional Information:
 Caller Computer Name: my-PC

How to enable 4740 event through Default Domain Controllers Group Policy

1. Open Group Policy Management Console by running the command gpmc.msc

2. Expand the domain node, expand the Domain Controllers OU, then Right-click on the Default Domain Controllers Policy, and click the Edit option

Event ID 4740 - A user account was locked out


3. Expand the Computer Configuration node, go to the node Audit Policy(Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).

4. Navigate to the right side pane, select the policy Audit account management, and set the success audit value.

Event ID 4740 - Active Directory user account was locked out

5. To update or refresh GPO settings, run the command gpupdate/force


How to enable 4740 Account locked out event via Auditpol

Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions.

By using Auditpol, we can get/set Audit Security settings per user level and computer level.

Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable Active Directory Account Lockout audit event (Event ID 4740) through User Account Management subcategory by using the following command
auditpol /set /subcategory:"User Account Management" /success:enable
To update or refresh GPO settings, run the command gpupdate/force


How to disable/stop 4740 Account locked out event

You can disable or stop Active Directory Account Lockout audit event (Event ID 4740) by removing success audit in User Account Management subcategory by using the following command.
auditpol /set /subcategory:"User Account Management" /success:disable
You can also stop this event by removing the success setting from the Default Domain Controllers GPO in the setting path Computer Configuration->Polices->Windows Settings->Security Settings->Audit Policy->Account Management

Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.

Thanks,
Morgan
Software Developer


Advertisements
Advertisements

1 comment:

  1. This comment has been removed by the author.

    ReplyDelete