Description
In this article, I am going to explain about the Active Directory user account unlock Event 4767. It also includes the steps to enable Event 4767 and disable 4767 user account unlock event. This event comes under the Account Management category/User Account Management subcategory of Security Audit.
Note: Equivalent event of 4767 in server 2003/xp based machine is 671.
Summary
- Event 4767 Example source
- Steps to enable 4767 Event through Default Domain Controllers Group Policy
- How to User Account Unlock Event 4767 via Auditpol
- Steps to disable/stop Event ID 4767
Event 4767 Example source
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 3/25/2014 5:11:42 PM Event ID: 4767 Task Category: User Account Management Level: Information Keywords: Audit Success User: N/A Computer: devDC.Work2008.local Description: A user account was unlocked. Subject: Security ID: WORK2008Administrator Account Name: Administrator Account Domain: WORK2008 Logon ID: 0x2c3aaf Target Account: Security ID: WORK2008LTest Account Name: LTest Account Domain: WORK2008
Steps to enable 4767 Event ID through Default Domain Controllers Group Policy
1. Open Group Policy Management Console by running the command gpmc.msc
2. Expand the domain node, expand the Domain Controllers OU, then Right-click on the Default Domain Controllers Policy, and click the Edit option
3. Expand the Computer Configuration node, go to the node Audit Policy(Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).
4. Navigate to the right side pane, select the policy Audit account management, and set the success audit value.
4. In Windows 2008 R2 and later versions, you can also control Event ID 4767 through Advanced Audit Policy configuration. Expand the Computer Configuration node, go to the node Advanced Audit Policy Configuration(Computer Configuration->Policies->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Policies). And click Account Maangement, in the right side pane, enable success auditing for Audit User Account Management subcategory.
5. To update or refresh GPO settings, run the command gpupdate/force
How to enable User Account Unlock Event 4767 via Auditpol
Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions.
By using Auditpol, we can get/set Audit Security settings per user level and computer level.
Note: You should run Auditpol command with elevated privilege (Run As Administrator);
You can enable Active Directory User Account Unlock audit event (Event ID 4740) through User Account Management subcategory by using the following command
auditpol /set /subcategory:"User Account Management" /success:enable
To update or refresh GPO settings, run the command gpupdate/force
Steps to disable/stop User Account Unlock Event 4767
You can disable or stop Active Directory User Account Unlock audit event (Event ID 4767) by removing success audit in User Account Management subcategory by using the following command.
auditpol /set /subcategory:"User Account Management" /success:disable
You can also stop this event by removing the success setting from the Default Domain Controllers GPO in the setting path Computer Configuration->Polices->Windows Settings->Security Settings->Audit Policy->Account Management
Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.
Thanks,
Morgan
Software Developer