Windows Event ID 4740: A user account was locked out

Account lockouts are a fundamental security feature in Windows and Active Directory environments. While they’re designed to protect user accounts from brute-force attacks, they often cause friction and frustration for legitimate users.

For IT administrators and cybersecurity professionals, every account lockout is a potential security incident waiting to be investigated. When a user account is locked out, the Windows operating system logs Event ID 4740 in the Security log. This event is more than just a notification; it’s a critical forensic artifact that provides the necessary clues to diagnose the lockout’s root cause, whether it’s a simple user error or a sophisticated attack.

What is Windows Event ID 4740?

Event ID 4740 is a security event log entry generated by the Windows Security Auditing system. It specifically says a user account has been locked out. This event is the definitive record of the lockout, a time-stamped log of the incident. It’s a key part of the larger security auditing framework in Windows which helps administrators track and investigate user activity and potential threats. Without this event, diagnosing the reason for a lockout would be a shot in the dark.

Anatomy of a 4740 Event Log

To analyze Event ID 4740 you need to understand its fields. While the format may vary slightly between Windows versions, the important information is the same.

• Subject: This section identifies the user account that performed the action (in this case the system locking out the account)

  • Security ID: The SID of the system that locked out the account.

  • Account Name: The name of the account that was locked out.

  • Account Domain: The domain of the locked out account.

• Target Account: This is the most important part, detailing the account that was locked out

  • Security ID: The SID of the user account.

  • Account Name: The username (e.g. jdoe)

•  Caller Computer Name: This is the most important field. It’s the name of the computer that made the bad password attempts. This could be a workstation, a server or even an external IP address if the failed attempts came from an application or service. This is where you start your investigation.

• Additional Information: This section may have more information, such as Source Network Address which gives you the IP address of the machine that caused the lockout. This is helpful when the Caller Computer Name is not available or when the lockout came from a non-domain-joined device.

Top 5 Reasons for Account Lockouts

While a brute-force attack is the worst case, most account lockouts are caused by everyday, harmless issues. Knowing these common scenarios helps you quickly tell the difference between a security threat and a user problem.

1. Saved Credentials on a Device: A user changes their password but forgets to update it on a mobile device, a shared computer, or in an application’s saved password cache. The device’s automatic login attempts with the old password lock them out in no time.

2. Disconnected RDP Sessions: A user has an active Remote Desktop Protocol (RDP) session on a server, changes their password on their workstation and then the RDP session tries to re-authenticate with the old, now invalid password.

3. Mapped Network Drives or Scheduled Tasks: A mapped drive or a scheduled task that uses the user’s old credentials to run a script or access a resource will keep failing and lock them out.

4. Credential Misuse by an Application: A service or application is configured to run under a specific user account. After the user changes their password, the service won’t start or run and will keep trying to login.

5. Malicious Activity (Brute-Force Attacks): This is the worst case. An attacker is trying to guess a user’s password, usually from a different IP address, and will lock them out multiple times in a row. This is a red flag for a security breach.

Event ID 4740 Investigation Guide

When a user reports an account lockout, you need to be systematic. Here’s a step by step approach for forensic analysis.

1. Initial Triage:

   • Check the user’s last login time and the time of the lockout.

   • Ask the user if they’ve recently changed their password.

   • Check the Caller Computer Name and Source Network Address from the Event ID 4740 log. This will be your main lead.

2. PowerShell Deep Dive:

   • Instead of searching through thousands of events in the Event Viewer, use PowerShell to filter and analyze log entries from multiple domain controllers. This is way faster.

   • Example PowerShell command:

     Get-WinEvent -FilterHashtable @{Logname='Security'; ID=4740} | Where-Object { $_.Properties[1].Value -eq 'username' }

3. Find the Source:

   • If the source is an IP address, use a network scanner to find the machine or device.

   • If the source is a computer name, physically or remotely check that machine for saved credentials, running applications or services that could be using the old password.

   • Look for a series of failed logins (Event ID 4625) that preceded the Event ID 4740. These events will give you a breakdown of the failed logins, including the login type (e.g. Network, Interactive).

Proactive Ways to Prevent Account Lockouts

While investigation is important, prevention is key. By following these best practices you can reduce the frequency and impact of account lockouts.

1. Smart Lockout Policies: A well configured account lockout policy in Active Directory is your first line of defense. Balance security with usability by setting a reasonable lockout threshold (e.g. 5-10 failed attempts) and a lockout duration that’s not too long (e.g. 30 minutes).

2. Multi-Factor Authentication (MFA): MFA is the single most effective way to prevent unauthorised access and brute-force attacks. Even if an attacker gets a password they will not be able to log in without the second factor. This makes a successful brute-force attack almost impossible.

3. Centralised Monitoring and Alerting: Use a Security Information and Event Management (SIEM) system to monitor and alert on Event ID 4740. Alert on lockouts for sensitive accounts (e.g. administrator accounts) or high volume of lockouts from a single source as this may indicate a brute-force attack.

4. User Education: Proactively educate users on the importance of changing their passwords across all devices, including mobile phones, tablets and applications. A simple training video or email can prevent many self-inflicted lockouts.

5. Automate Remediation: For common scenarios you can use scripts or a diagnostic tool like the Microsoft Account Lockout and Management Tools (ALTools) to quickly identify and unlock accounts.

Event IDs Related to Account Lockouts

Event ID 4740 is part of a larger chain of events. A full investigation often requires examining these related events to get the complete picture.

Conclusion: Beyond the Log File

Windows Event ID 4740 is far more than a simple log entry; it is a vital piece of the security puzzle. By adopting a methodical approach to analyzing these events, IT administrators can not only resolve immediate user issues but also uncover ongoing brute-force attacks and systemic issues with their security policies or applications. The information contained within each 4740 log is the key to maintaining a secure and efficient environment.

In the modern threat landscape, where credential theft is a primary attack vector, a deep understanding of account lockouts and their underlying causes is non-negotiable. Proactive monitoring and smart policies are essential for minimizing disruptions and enhancing your overall security posture.