4767 A user account was unlocked
Written when a locked-out account is unlocked. Paired with lockout 4740, it tracks the onset and clearing of locks.
Overview
The subcategory is Audit User Account Management. It is generated when an account’s lockout is cleared. It appears on a manual unlock by an administrator or an automatic unlock after the lockout duration elapses.
How it is triggered
- An unlock by an administrator (AD user then Unlock account,
Unlock-ADAccount, and so on). - An automatic unlock after the lockout duration elapses.
Security review points
- A flow of lockout 4740, unlock 4767, then a logon 4624 right after can indicate an attacker unlocked the account to resume an attack. Check who performed the unlock.
- Unlocking a high-privilege account, or an account repeatedly locked/unlocked, is notable as a brute-force target.
Notes for log review
- It occurs daily in help-desk operations. Match against normal patterns of the unlocking subject (whether help desk) and target.
- Read it paired with lockout 4740, including the cause of the lock (attack vs self-inflicted).
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The unlocked account |
Subject\Account Name | The subject that performed the unlock |