4740 A user account was locked out
Written when an account is locked out. A lockout is the result of accumulated password failures, so it captures signs of brute force and password spraying.
Overview
The subcategory is Audit User Account Management. It is generated when an account is locked out (temporarily suspended due to a set number of logon failures). Domain account lockouts are recorded on a domain controller, local accounts on the host in question. The Caller Computer Name (the machine that caused the failures) is a clue.
How it is triggered
- Logon failures exceeding the account lockout policy threshold (an accumulation of 4625 or Kerberos pre-auth failures 4771).
- A common “self-inflicted lockout” also occurs when a service, mapped drive, or mobile device holding old credentials repeatedly authenticates with an invalidated old password.
Security review points
- Repeated lockouts of a single account suggest brute force against it. If many accounts lock out in a short time, password spraying may have surfaced (by hitting the threshold).
- Check
Caller Computer Nameto identify the lockout source. Separate an attack from a legitimate device holding old credentials (self-inflicted lockout). Supplement the failure details with 4625 / 4771.
Notes for log review
- Because it has a business impact (users cannot log in), it is often monitored operationally too. The crux is separating attack-driven from configuration/credential-driven causes.
- The source machine may be blank or unknown; in that case, trace it from same-time failure logs (the source IP/workstation in 4625).
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The locked-out account |
Caller Computer Name | The machine that triggered the lockout |
Subject\Account Name | The reporter (often the DC’s system) |