Next: Track root cause of AD Account Lockout
Summary:
- Event 4740 Example source
- How to enable 4740 event through Default Domain Controllers Group Policy
- How to enable 4740 Account locked out event via Auditpol
- How to disable/stop 4740 Account locked out event
Event 4740 Example source
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 31/10/2013 5:02:05 PM Event ID: 4740 Task Category: User Account Management Level: Information Keywords: Audit Success User: N/A Computer: myServer.myDomain.com Description: A user account was locked out. Subject: Security ID: SYSTEM Account Name: myServer$ Account Domain: myDomain Logon ID: 0x3e7 Account That Was Locked Out: Security ID: myDomaintestuser Account Name: testUser Additional Information: Caller Computer Name: my-PC
How to enable 4740 event through Default Domain Controllers Group Policy
1. Open Group Policy Management Console by running the command gpmc.msc
2. Expand the domain node, expand the Domain Controllers OU, then Right-click on the Default Domain Controllers Policy, and click the Edit option
3. Expand the Computer Configuration node, go to the node Audit Policy(Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).
4. Navigate to the right side pane, select the policy Audit account management, and set the success audit value.
5. To update or refresh GPO settings, run the command gpupdate/force
How to enable 4740 Account locked out event via Auditpol
Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions.
By using Auditpol, we can get/set Audit Security settings per user level and computer level.
Note: You should run Auditpol command with elevated privilege (Run As Administrator);
You can enable Active Directory Account Lockout audit event (Event ID 4740) through User Account Management subcategory by using the following command
auditpol /set /subcategory:"User Account Management" /success:enable
To update or refresh GPO settings, run the command gpupdate/force
How to disable/stop 4740 Account locked out event
You can disable or stop Active Directory Account Lockout audit event (Event ID 4740) by removing success audit in User Account Management subcategory by using the following command.
auditpol /set /subcategory:"User Account Management" /success:disable
You can also stop this event by removing the success setting from the Default Domain Controllers GPO in the setting path Computer Configuration->Polices->Windows Settings->Security Settings->Audit Policy->Account Management
Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.
Thanks,
Morgan
Software Developer