ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing account lockout events and security logs
Event ID 4705InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4705 – Microsoft-Windows-Security-Auditing: User Account Locked Out

Event ID 4705 indicates a user account has been locked out due to security policy violations, typically from repeated failed authentication attempts or password policy breaches.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4705Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4705 represents a critical security audit event that Windows generates when the system locks out a user account due to policy violations. This event occurs as part of Windows' built-in security mechanisms designed to protect against brute force attacks and unauthorized access attempts.

The lockout mechanism activates when a user account exceeds the configured threshold for failed authentication attempts within the specified observation window. Windows tracks these failed attempts and automatically locks the account for the duration specified in the account lockout policy. During the lockout period, the account cannot authenticate even with correct credentials, effectively preventing further authentication attempts.

In Active Directory environments, domain controllers generate this event when domain account lockout policies trigger. The event includes detailed information about the locked account, including the user name, domain, and the computer system that caused the lockout. This data helps administrators identify the source of authentication failures and determine whether the lockout resulted from malicious activity or legitimate user error.

The event also captures the caller computer name and caller computer account, providing visibility into which system initiated the authentication attempts that led to the lockout. This information proves invaluable when investigating security incidents, as it allows administrators to trace the source of potential attacks and implement appropriate countermeasures.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User entering incorrect passwords repeatedly, exceeding the account lockout threshold
  • Brute force attacks attempting to guess user credentials through automated tools
  • Credential stuffing attacks using compromised password lists from data breaches
  • Service accounts with expired or changed passwords attempting authentication
  • Applications or scripts using cached credentials that no longer match current passwords
  • Password synchronization issues between systems in multi-domain environments
  • Users attempting to access resources with old passwords after recent password changes
  • Malware or compromised systems attempting unauthorized authentication
  • Network authentication protocols experiencing connectivity or timing issues
Resolution Methods

Troubleshooting Steps

01

Check Event Viewer for Account Lockout Details

Navigate to Event ViewerWindows LogsSecurity to examine the lockout event details.

  1. Open Event Viewer by pressing Windows + R, type eventvwr.msc, and press Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4705 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4705 in the Event IDs field and click OK
  5. Double-click the event to view details including:
    • Account Name: The locked user account
    • Account Domain: The domain or computer name
    • Caller Computer Name: System that triggered the lockout
    • Caller Computer Account: Account used for the authentication attempts
  6. Note the timestamp to correlate with other security events

Use PowerShell to query multiple lockout events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4705} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
02

Unlock Account and Reset Lockout Counter

Unlock the affected user account and reset the lockout counter using Active Directory tools or PowerShell commands.

  1. For domain accounts, open Active Directory Users and Computers
  2. Navigate to the user account and right-click to select Properties
  3. Go to the Account tab and check Unlock account if available
  4. Click OK to apply changes

Use PowerShell to unlock domain accounts:

# Unlock specific user account
Unlock-ADAccount -Identity "username"

# Check account lockout status
Get-ADUser -Identity "username" -Properties LockedOut, AccountLockoutTime | Select-Object Name, LockedOut, AccountLockoutTime

# Find all locked accounts in domain
Search-ADAccount -LockedOut | Select-Object Name, DistinguishedName

For local accounts, use the Local Users and Groups console:

  1. Open Computer ManagementLocal Users and GroupsUsers
  2. Right-click the locked account and select Properties
  3. Uncheck Account is locked out on the General tab
03

Analyze Account Lockout Source with PowerShell

Use advanced PowerShell queries to identify the source and pattern of account lockouts across multiple domain controllers.

# Query all domain controllers for lockout events
$DCs = Get-ADDomainController -Filter *
$LockoutEvents = @()

foreach ($DC in $DCs) {
    $Events = Get-WinEvent -ComputerName $DC.HostName -FilterHashtable @{
        LogName = 'Security'
        Id = 4705
        StartTime = (Get-Date).AddHours(-24)
    } -ErrorAction SilentlyContinue
    
    $LockoutEvents += $Events | ForEach-Object {
        [PSCustomObject]@{
            TimeCreated = $_.TimeCreated
            DomainController = $DC.HostName
            AccountName = ($_.Message -split '\n' | Where-Object {$_ -match 'Account Name:'} | ForEach-Object {$_.Split(':')[1].Trim()})
            CallerComputer = ($_.Message -split '\n' | Where-Object {$_ -match 'Caller Computer Name:'} | ForEach-Object {$_.Split(':')[1].Trim()})
        }
    }
}

# Display results sorted by time
$LockoutEvents | Sort-Object TimeCreated -Descending | Format-Table -AutoSize

Identify lockout patterns and potential attack sources:

# Group lockouts by caller computer to identify attack sources
$LockoutEvents | Group-Object CallerComputer | Sort-Object Count -Descending | Select-Object Name, Count

# Find accounts with multiple lockouts
$LockoutEvents | Group-Object AccountName | Where-Object {$_.Count -gt 1} | Select-Object Name, Count
04

Configure Account Lockout Policy Settings

Review and adjust account lockout policy settings to balance security with usability requirements.

  1. Open Group Policy Management Console for domain policies
  2. Navigate to Default Domain PolicyComputer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout Policy
  3. Configure the following settings:
    • Account lockout threshold: Number of failed attempts (recommended: 5-10)
    • Account lockout duration: How long account stays locked (recommended: 15-30 minutes)
    • Reset account lockout counter after: Time window for counting failures (recommended: 15-30 minutes)

Use PowerShell to check current lockout policy:

# Check domain account lockout policy
Get-ADDefaultDomainPasswordPolicy | Select-Object LockoutThreshold, LockoutDuration, LockoutObservationWindow

# Check fine-grained password policy if applicable
Get-ADFineGrainedPasswordPolicy -Filter * | Select-Object Name, LockoutThreshold, LockoutDuration

For local computer policy, use Local Security Policy:

  1. Run secpol.msc as administrator
  2. Navigate to Account PoliciesAccount Lockout Policy
  3. Configure lockout threshold, duration, and reset counter settings
Warning: Setting lockout thresholds too low may cause legitimate users to be locked out frequently, while setting them too high reduces protection against brute force attacks.
05

Implement Advanced Lockout Monitoring and Alerting

Set up comprehensive monitoring and automated alerting for account lockout events to enable rapid incident response.

Create a PowerShell script for continuous monitoring:

# Account Lockout Monitor Script
param(
    [int]$ThresholdMinutes = 60,
    [int]$MaxLockouts = 5,
    [string]$EmailTo = "admin@company.com",
    [string]$SMTPServer = "mail.company.com"
)

$StartTime = (Get-Date).AddMinutes(-$ThresholdMinutes)
$LockoutEvents = Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id = 4705
    StartTime = $StartTime
} -ErrorAction SilentlyContinue

if ($LockoutEvents.Count -ge $MaxLockouts) {
    $AlertMessage = @"
Multiple account lockouts detected:
Time Range: $StartTime to $(Get-Date)
Total Lockouts: $($LockoutEvents.Count)

Recent Events:
$($LockoutEvents | Select-Object -First 10 | Format-Table TimeCreated, Message -AutoSize | Out-String)
"@
    
    Send-MailMessage -To $EmailTo -From "lockout-monitor@company.com" -Subject "Account Lockout Alert" -Body $AlertMessage -SmTPServer $SMTPServer
}

Configure Windows Event Forwarding for centralized monitoring:

  1. On the collector server, run wecutil qc to configure Windows Event Collector
  2. Create a subscription configuration file:
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>AccountLockouts</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Account Lockout Events</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4705]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>

Import the subscription:

wecutil cs AccountLockouts.xml
Pro tip: Integrate with SIEM solutions like Microsoft Sentinel or Splunk for advanced correlation and automated response to lockout patterns.

Overview

Event ID 4705 fires when Windows locks out a user account due to security policy violations. This security audit event appears in the Security log whenever the system enforces account lockout policies, typically after a user exceeds the maximum number of failed logon attempts within the specified time window.

The event captures critical details including the locked account name, the computer that triggered the lockout, and the security identifier (SID) of the affected user. This information proves essential for security administrators investigating potential brute force attacks, credential stuffing attempts, or legitimate users experiencing authentication issues.

Windows generates this event on domain controllers when Active Directory account lockout policies trigger, and on local systems when local account lockout settings activate. The event helps administrators distinguish between malicious authentication attempts and user error, making it a cornerstone of Windows security monitoring and incident response procedures.

Frequently Asked Questions

What does Event ID 4705 mean and when does it occur?+
Event ID 4705 indicates that Windows has locked out a user account due to security policy violations. This event occurs when a user account exceeds the configured number of failed authentication attempts within the specified time window. The lockout mechanism protects against brute force attacks and unauthorized access attempts by temporarily preventing any authentication to the affected account, even with correct credentials.
How can I determine which computer or system caused the account lockout?+
Event ID 4705 includes the 'Caller Computer Name' field that identifies the system responsible for the authentication attempts that triggered the lockout. You can find this information in the event details within Event Viewer or by using PowerShell to parse the event message. Additionally, correlating this event with Event ID 4625 (failed logon attempts) from the same timeframe and source computer provides a complete picture of the authentication failures that led to the lockout.
What's the difference between account lockout events on domain controllers versus local systems?+
On domain controllers, Event ID 4705 appears when domain account lockout policies trigger, affecting user accounts throughout the Active Directory domain. These events typically occur on the authenticating domain controller and may appear on multiple DCs if the user attempts authentication against different controllers. On local systems, the event occurs when local account lockout policies activate for local user accounts, affecting only authentication to that specific computer. Domain lockouts require domain administrator privileges to resolve, while local lockouts can be resolved by local administrators.
How should I configure account lockout policies to balance security and usability?+
Recommended account lockout policy settings include: lockout threshold of 5-10 failed attempts, lockout duration of 15-30 minutes, and reset counter after 15-30 minutes. Setting the threshold too low (1-3 attempts) may cause frequent legitimate user lockouts, while setting it too high (15+ attempts) provides insufficient protection against brute force attacks. The lockout duration should be long enough to slow down automated attacks but short enough to minimize user impact. Consider implementing fine-grained password policies for different user groups with varying security requirements.
Can Event ID 4705 help identify security attacks, and what should I look for?+
Yes, Event ID 4705 is crucial for identifying potential security attacks. Look for patterns such as: multiple accounts being locked out from the same source computer (indicating a brute force attack), lockouts occurring outside normal business hours, accounts that rarely authenticate suddenly experiencing lockouts, or service accounts being locked out (suggesting credential compromise). Correlate these events with Event ID 4625 (failed logons) and Event ID 4624 (successful logons) to build a complete attack timeline. Rapid succession of lockouts across multiple accounts often indicates automated attack tools or credential stuffing attempts.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including account lockout monitoring and configuration.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Account Lockout Policy Configuration GuideOfficial Microsoft documentation for configuring and managing account lockout policies in Windows environments.https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4705#account-lockout#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...