ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Event ID 4767 account unlock events in Event Viewer
Event ID 4767InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4767 – Microsoft-Windows-Security-Auditing: User Account Unlocked

Event ID 4767 fires when a user account is unlocked by an administrator or automatically by the system after the lockout duration expires.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4767Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4767 represents a fundamental component of Windows security auditing, specifically tracking user account unlock operations. When Windows generates this event, it indicates that a previously locked user account has been restored to an active state, either through administrative intervention or automatic system processes.

The event structure includes several key fields that provide comprehensive context about the unlock operation. The Subject fields identify who performed the unlock action, including the Security ID, Account Name, Account Domain, and Logon ID of the administrator or system process. The Target Account section specifies which account was unlocked, providing the Security ID and Account Name of the affected user. Additional fields capture the workstation name from which the unlock operation originated.

In Active Directory environments, this event typically appears on domain controllers when domain user accounts are unlocked. For standalone systems or workgroup computers, the event logs locally when local user accounts are unlocked. The timing of this event correlates directly with account lockout policies configured in Group Policy or local security settings.

From a security perspective, Event ID 4767 serves as a critical audit point for monitoring account management activities. Unusual patterns in account unlocks, such as frequent unlocks of the same account or unlocks performed outside normal business hours, may indicate security incidents requiring investigation. Conversely, legitimate unlock operations provide valuable audit trails for compliance reporting and administrative accountability.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually unlocks a locked user account through Active Directory Users and Computers
  • System automatically unlocks an account after the configured lockout duration expires
  • PowerShell cmdlets like Unlock-ADAccount are used to unlock domain accounts
  • Net user commands with unlock parameters are executed
  • Third-party identity management tools perform account unlock operations
  • Service accounts or automated processes unlock accounts programmatically
  • Group Policy refresh triggers automatic unlock of expired lockouts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4767 entry to understand the context of the account unlock operation.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log for Event ID 4767 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4767 in the Event IDs field and click OK
  5. Double-click on a 4767 event to view detailed information
  6. Review the Subject section to identify who performed the unlock
  7. Check the Target Account section to see which account was unlocked
  8. Note the Workstation Name to identify the source of the unlock operation

Use this PowerShell command to quickly retrieve recent unlock events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4767} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
02

Correlate with Account Lockout Events

Investigate the relationship between unlock events and preceding lockout events to understand the full account management timeline.

  1. Search for corresponding Event ID 4740 (Account Locked Out) entries that preceded the unlock
  2. Use PowerShell to correlate lockout and unlock events for specific accounts:
# Get lockout and unlock events for analysis
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740,4767} -MaxEvents 100
$Events | Sort-Object TimeCreated | Format-Table TimeCreated, Id, @{Name='Account';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'}).Split(':')[1].Trim()}} -AutoSize
  1. Review the time intervals between lockout and unlock events
  2. Check if unlocks align with your organization's lockout duration policy
  3. Identify patterns of repeated lockout/unlock cycles for the same accounts
  4. Cross-reference with Event ID 4625 (Failed Logon) to understand lockout causes
Pro tip: Frequent lockout/unlock cycles often indicate password-related issues or potential brute force attacks.
03

Analyze Administrative Actions and Sources

Examine who is performing unlock operations and from which systems to validate legitimate administrative activity.

  1. Extract administrator information from unlock events using PowerShell:
# Analyze who is unlocking accounts
$UnlockEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4767} -MaxEvents 100
$UnlockEvents | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        UnlockedBy = $Event.Event.EventData.Data[1].'#text'
        UnlockedAccount = $Event.Event.EventData.Data[5].'#text'
        WorkstationName = $Event.Event.EventData.Data[7].'#text'
    }
} | Format-Table -AutoSize
  1. Verify that unlock operations are performed by authorized administrators
  2. Check if unlocks originate from expected administrative workstations
  3. Review unlock timing to ensure they occur during business hours
  4. Cross-reference with change management records for scheduled maintenance
  5. Investigate any unlocks performed by service accounts or system processes
Warning: Unlocks performed by unexpected accounts or from unusual workstations may indicate unauthorized access.
04

Monitor Unlock Patterns and Frequency

Establish baseline monitoring for account unlock patterns to identify anomalies and potential security issues.

  1. Create a PowerShell script to track unlock frequency by account:
# Monitor unlock patterns over time
$StartDate = (Get-Date).AddDays(-30)
$UnlockEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4767; StartTime=$StartDate}

$UnlockStats = $UnlockEvents | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        Date = $_.TimeCreated.Date
        Account = $Event.Event.EventData.Data[5].'#text'
        UnlockedBy = $Event.Event.EventData.Data[1].'#text'
    }
} | Group-Object Account | Select-Object Name, Count, @{Name='LastUnlock';Expression={($_.Group | Sort-Object Date -Descending)[0].Date}}

$UnlockStats | Sort-Object Count -Descending | Format-Table -AutoSize
  1. Set up automated alerts for accounts with excessive unlock frequency
  2. Monitor for unlocks occurring outside business hours
  3. Track unlock operations performed by non-administrative accounts
  4. Establish thresholds for normal vs. suspicious unlock activity
  5. Create reports for security team review and compliance auditing
05

Advanced Forensic Analysis and Response

Perform comprehensive forensic analysis when unlock events indicate potential security incidents or policy violations.

  1. Export detailed unlock event data for forensic analysis:
# Export comprehensive unlock event data
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4767} -MaxEvents 1000
$DetailedEvents = $Events | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        EventRecordID = $_.RecordId
        SubjectUserSid = $Event.Event.EventData.Data[0].'#text'
        SubjectUserName = $Event.Event.EventData.Data[1].'#text'
        SubjectDomainName = $Event.Event.EventData.Data[2].'#text'
        SubjectLogonId = $Event.Event.EventData.Data[3].'#text'
        TargetUserSid = $Event.Event.EventData.Data[4].'#text'
        TargetUserName = $Event.Event.EventData.Data[5].'#text'
        TargetDomainName = $Event.Event.EventData.Data[6].'#text'
        WorkstationName = $Event.Event.EventData.Data[7].'#text'
    }
}

$DetailedEvents | Export-Csv -Path "C:\Temp\UnlockEvents_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  1. Correlate unlock events with other security events (4624, 4625, 4648)
  2. Review Active Directory replication logs if dealing with domain accounts
  3. Check for corresponding events on other domain controllers
  4. Analyze network traffic logs for the timeframe of suspicious unlocks
  5. Document findings for incident response and compliance reporting
  6. Implement additional monitoring controls based on investigation results
Pro tip: Use Windows Event Forwarding (WEF) to centralize unlock events from multiple systems for comprehensive analysis.

Overview

Event ID 4767 is a security audit event that logs whenever a user account gets unlocked on a Windows system. This event fires in two primary scenarios: when an administrator manually unlocks a locked account, or when the system automatically unlocks an account after the configured lockout duration expires.

This event appears in the Security log and is part of Windows' comprehensive account management auditing framework. The event captures critical details including which account was unlocked, who performed the unlock operation, and the workstation from which the action originated. For domain environments, this event logs on domain controllers when domain accounts are unlocked, while local account unlocks generate the event on the local machine.

Understanding Event ID 4767 is essential for security monitoring, compliance reporting, and troubleshooting account lockout issues. Security teams rely on this event to track unauthorized unlock attempts, validate legitimate administrative actions, and maintain audit trails for regulatory compliance. The event provides visibility into account management activities that could indicate both legitimate administrative work and potential security incidents.

Frequently Asked Questions

What does Event ID 4767 mean and when does it occur?+
Event ID 4767 indicates that a user account has been unlocked on a Windows system. This event occurs in two main scenarios: when an administrator manually unlocks a locked account through tools like Active Directory Users and Computers or PowerShell cmdlets, or when the system automatically unlocks an account after the configured lockout duration expires. The event provides detailed information about who performed the unlock operation, which account was unlocked, and from which workstation the action originated.
How can I distinguish between manual and automatic account unlocks in Event ID 4767?+
You can distinguish between manual and automatic unlocks by examining the Subject fields in the event details. Manual unlocks show the administrator's account information in the Subject User Name field, while automatic unlocks typically show system accounts like 'SYSTEM' or the computer account. Additionally, manual unlocks often include a workstation name indicating where the administrative action was performed, whereas automatic unlocks may show the domain controller name or local computer name where the lockout timer expired.
Should I be concerned about frequent Event ID 4767 entries for the same user account?+
Frequent unlock events for the same account warrant investigation as they may indicate underlying issues. Common causes include users forgetting password changes, applications using cached credentials, service accounts with expired passwords, or potential security threats like brute force attacks. Review the corresponding Event ID 4740 (account lockout) entries to understand why the account is being locked repeatedly. If the unlocks are administrative responses to legitimate lockouts, consider user training or password policy adjustments. However, if the pattern seems unusual or occurs outside business hours, treat it as a potential security incident.
Can Event ID 4767 help me track compliance with account management policies?+
Yes, Event ID 4767 is valuable for compliance tracking and audit reporting. The event provides a complete audit trail of account unlock operations, including timestamps, administrator identities, and source workstations. You can use this data to demonstrate adherence to access control policies, validate that only authorized personnel perform account management tasks, and prove that unlock operations follow proper procedures. Many compliance frameworks require detailed logging of privileged account activities, and Event ID 4767 helps satisfy these requirements by providing comprehensive documentation of account unlock events.
How do I set up monitoring and alerting for suspicious Event ID 4767 patterns?+
To monitor Event ID 4767 effectively, implement automated analysis using PowerShell scripts or SIEM solutions. Create alerts for accounts unlocked more than a threshold number of times within a specific timeframe, unlocks performed outside business hours, or unlocks by unauthorized accounts. Use Windows Event Forwarding to centralize events from multiple systems, then apply correlation rules to identify patterns. Set up scheduled PowerShell tasks to generate regular reports showing unlock frequency by account and administrator. Consider integrating with security orchestration tools to automatically investigate suspicious patterns and notify security teams of potential incidents requiring immediate attention.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive documentation covering Windows security auditing events including account management events like 4767https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows Security Log Events ReferenceOfficial Microsoft documentation specifically for Event ID 4767 with detailed field descriptions and exampleshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4767#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...