Event ID 4767: A user account was unlocked

Description

  In this article, I am going to explain about the Active Directory user account unlock Event 4767. It also includes the steps to enable Event 4767 and disable 4767 user account unlock event. This event comes under the Account Management category/User Account Management subcategory of Security Audit.

Note: Equivalent event of 4767 in server 2003/xp based machine is 671.

Summary

  1. Event 4767 Example source
  2. Steps to enable 4767 Event through Default Domain Controllers Group Policy
  3. How to User Account Unlock Event 4767 via Auditpol
  4. Steps to disable/stop Event ID 4767

Event 4767 Example source

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/25/2014 5:11:42 PM
Event ID:      4767
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      devDC.Work2008.local
Description:
A user account was unlocked.

Subject:
 Security ID:  WORK2008Administrator
 Account Name:  Administrator
 Account Domain:  WORK2008
 Logon ID:  0x2c3aaf

Target Account:
 Security ID:  WORK2008LTest
 Account Name:  LTest
 Account Domain:  WORK2008

Steps to enable 4767 Event ID through Default Domain Controllers Group Policy

1. Open Group Policy Management Console by running the command gpmc.msc

2. Expand the domain node, expand the Domain Controllers OU, then Right-click on the Default Domain Controllers Policy, and click the Edit option

Steps to Enable Event ID 4767: A user account was unlocked

3. Expand the Computer Configuration node, go to the node Audit Policy(Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).

4. Navigate to the right side pane, select the policy Audit account management, and set the success audit value.

Steps to enable Event ID 4740 - Active Directory user account unlocked Event

4. In Windows 2008 R2 and later versions, you can also control Event ID 4767 through Advanced Audit Policy configuration. Expand the Computer Configuration node, go to the node Advanced Audit Policy Configuration(Computer Configuration->Policies->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Policies). And click Account Maangement, in the right side pane, enable success auditing for Audit User Account Management subcategory.

Steps to Enable User Account unlock Event ID 4767

5. To update or refresh GPO settings, run the command gpupdate/force

Steps to Enable User Account unlock Event 4767

How to enable User Account Unlock Event 4767 via Auditpol

Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions.

By using Auditpol, we can get/set Audit Security settings per user level and computer level.

Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable Active Directory User Account Unlock audit event (Event ID 4740) through User Account Management subcategory by using the following command

auditpol /set /subcategory:"User Account Management" /success:enable

To update or refresh GPO settings, run the command gpupdate/force

Steps to disable/stop User Account Unlock Event 4767

You can disable or stop Active Directory User Account Unlock audit event (Event ID 4767) by removing success audit in User Account Management subcategory by using the following command.

auditpol /set /subcategory:"User Account Management" /success:disable

You can also stop this event by removing the success setting from the Default Domain Controllers GPO in the setting path Computer Configuration->Polices->Windows Settings->Security Settings->Audit Policy->Account Management

Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.

Thanks,
Morgan
Software Developer

Advertisement

Leave a Comment