ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security event logs with account lockout monitoring on a cybersecurity dashboard
Event ID 4740InformationSecurityWindows

Windows Event ID 4740 – Security: User Account Locked Out

Event ID 4740 fires when a user account gets locked out due to failed authentication attempts. Critical for security monitoring and troubleshooting user access issues.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
17 March 20269 min read 0
Event ID 4740Security 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 4740 represents one of the most important security audit events in Active Directory environments. When a user account exceeds the maximum number of failed logon attempts defined in the account lockout policy, Windows immediately locks the account and generates this event. The lockout mechanism protects against password guessing attacks and brute force attempts by temporarily preventing authentication for the affected account.

The event contains several critical data fields that security administrators use for investigation. The Account Name field identifies the locked user, while Account Domain specifies whether it's a local or domain account. The Caller Computer Name field reveals the source machine where the failed attempts originated, which is crucial for identifying compromised systems or malicious activity patterns.

In 2026 Windows environments, this event integrates with Microsoft Defender for Identity and Azure AD Connect Health for enhanced security monitoring. Modern implementations often trigger automated responses like blocking suspicious IP addresses or alerting security operations centers. The event timing correlates directly with Group Policy account lockout settings, typically firing within seconds of the final failed attempt.

Understanding 4740 events is essential for maintaining security posture while minimizing user disruption. False positives can occur from legitimate scenarios like saved incorrect passwords in applications, expired credentials in services, or users mistyping passwords repeatedly. Proper analysis distinguishes between genuine security threats and operational issues requiring different response strategies.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User entering incorrect password multiple times exceeding lockout threshold
  • Service accounts with expired or changed passwords attempting authentication
  • Scheduled tasks running with outdated credentials
  • Applications or scripts with cached invalid credentials
  • Brute force password attacks from malicious actors
  • Password spraying attacks targeting multiple accounts
  • Disconnected network drives attempting reconnection with old credentials
  • Mobile devices or laptops with saved incorrect passwords
  • IIS application pools running with expired service account credentials
  • SQL Server services configured with invalid domain accounts
Resolution Methods

Troubleshooting Steps

01

Check Event Viewer for Lockout Details

Start by examining the 4740 event details in Event Viewer to identify the locked account and source computer.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4740 using the filter option
  3. Double-click the most recent 4740 event to view details
  4. Note the Account Name, Account Domain, and Caller Computer Name fields
  5. Check the timestamp to correlate with user reports or security alerts

Use PowerShell to query multiple 4740 events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740} -MaxEvents 50 | Select-Object TimeCreated, @{Name='Account';Expression={$_.Properties[0].Value}}, @{Name='CallerComputer';Expression={$_.Properties[1].Value}} | Format-Table -AutoSize

This command extracts the essential information from recent lockout events, making it easier to identify patterns or repeated lockouts from specific sources.

02

Correlate with Authentication Failure Events

Investigate the failed logon attempts that led to the account lockout by examining Event ID 4625 (failed logon) events.

  1. In Event Viewer, filter the Security log for Event ID 4625
  2. Look for events with the same account name from the 4740 event
  3. Check timestamps leading up to the lockout time
  4. Examine the Failure Reason and Workstation Name fields
  5. Identify the source IP address or computer name generating failed attempts

Use PowerShell to correlate 4625 and 4740 events for a specific user:

$LockedAccount = "username"
$StartTime = (Get-Date).AddHours(-2)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625,4740; StartTime=$StartTime} | Where-Object {$_.Properties[5].Value -eq $LockedAccount -or $_.Properties[0].Value -eq $LockedAccount}
$Events | Select-Object Id, TimeCreated, @{Name='Account';Expression={if($_.Id -eq 4625){$_.Properties[5].Value}else{$_.Properties[0].Value}}}, @{Name='SourceIP';Expression={if($_.Id -eq 4625){$_.Properties[19].Value}else{"N/A"}}} | Sort-Object TimeCreated

This analysis reveals the attack pattern and helps determine if the lockout resulted from malicious activity or legitimate user error.

03

Unlock Account and Reset Security Settings

Unlock the affected user account and implement appropriate security measures based on your investigation findings.

  1. Open Active Directory Users and Computers (ADUC)
  2. Navigate to the user account identified in the 4740 event
  3. Right-click the user → PropertiesAccount tab
  4. Check Unlock account if the option is available
  5. Click Apply and OK to unlock the account

Use PowerShell to unlock accounts programmatically:

# Unlock a single user account
Unlock-ADAccount -Identity "username"

# Check if account is still locked
Get-ADUser -Identity "username" -Properties LockedOut | Select-Object Name, LockedOut

# Unlock multiple accounts from a list
$LockedUsers = @("user1", "user2", "user3")
$LockedUsers | ForEach-Object {Unlock-ADAccount -Identity $_; Write-Host "Unlocked: $_"}

If the lockout resulted from malicious activity, consider temporarily disabling the account and forcing a password reset:

Set-ADUser -Identity "username" -Enabled $false
Set-ADAccountPassword -Identity "username" -Reset
Warning: Only disable accounts if you suspect compromise. Coordinate with the user before forcing password resets.
04

Investigate Service Account Lockouts

Service account lockouts require special investigation since they often indicate configuration issues rather than security threats.

  1. Identify if the locked account is a service account by checking its naming convention and group memberships
  2. Use Services.msc to find services running under the locked account
  3. Check Task Scheduler for scheduled tasks using the account
  4. Examine IIS application pools if the account is used for web applications
  5. Review SQL Server services and their configured service accounts

PowerShell script to find services using a specific account:

$ServiceAccount = "DOMAIN\ServiceAccount"

# Find Windows services using the account
Get-WmiObject Win32_Service | Where-Object {$_.StartName -eq $ServiceAccount} | Select-Object Name, DisplayName, State, StartName

# Find scheduled tasks using the account
Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq $ServiceAccount} | Select-Object TaskName, TaskPath, State

# Check IIS application pools (requires WebAdministration module)
Import-Module WebAdministration -ErrorAction SilentlyContinue
if (Get-Module WebAdministration) {
    Get-IISAppPool | Where-Object {$_.ProcessModel.UserName -eq $ServiceAccount} | Select-Object Name, State
}

Update service credentials after unlocking the account:

# Update Windows service credentials
$Service = Get-WmiObject Win32_Service -Filter "Name='ServiceName'"
$Service.Change($null,$null,$null,$null,$null,$null,"DOMAIN\ServiceAccount","NewPassword")

# Restart the service
Restart-Service -Name "ServiceName"
05

Implement Advanced Monitoring and Prevention

Deploy comprehensive monitoring solutions to prevent future lockouts and detect security threats early.

  1. Configure Windows Event Forwarding (WEF) to centralize 4740 events from all domain controllers
  2. Set up automated alerts for multiple 4740 events within short timeframes
  3. Implement account lockout threshold monitoring with PowerShell scripts
  4. Deploy Microsoft Defender for Identity to detect advanced threats
  5. Configure Azure AD Connect Health for hybrid environment monitoring

Create a PowerShell monitoring script for real-time lockout detection:

# Real-time Event 4740 monitoring script
$Query = @"

  
    
  

"@

Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = 4740" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    $Message = "ALERT: Account lockout detected - User: $($Event.InsertionStrings[0]) from Computer: $($Event.InsertionStrings[1])"
    Write-Host $Message -ForegroundColor Red
    # Add email notification or SIEM integration here
}

Configure Group Policy settings to optimize account lockout policies:

  1. Open Group Policy Management Console
  2. Edit the Default Domain Policy or create a new GPO
  3. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout Policy
  4. Configure appropriate values for Account lockout threshold, Account lockout duration, and Reset account lockout counter after
  5. Link the GPO to appropriate OUs and test the settings
Pro tip: Set lockout threshold to 5-10 attempts with a 15-30 minute duration to balance security and usability. Monitor the results and adjust based on your environment's needs.

Overview

Event ID 4740 fires whenever Windows locks out a user account due to exceeding the configured failed logon attempt threshold. This security event appears in the Security log on domain controllers and member servers where account lockout policies are enforced. The event captures critical details including the locked account name, the computer that triggered the lockout, and the caller computer name where the failed attempts originated.

This event is essential for security monitoring and user support scenarios. Security teams rely on 4740 events to detect potential brute force attacks, while helpdesk staff use them to identify why users cannot log in. The event fires immediately when the lockout threshold is reached, making it valuable for real-time security alerting systems.

On domain controllers, you'll see 4740 events for all domain accounts. On member servers and workstations, the event only appears for local account lockouts. The event includes the source workstation information, which helps administrators trace where the failed authentication attempts originated from across the network.

Frequently Asked Questions

What does Event ID 4740 mean and when does it occur?+
Event ID 4740 indicates that a user account has been locked out due to exceeding the maximum number of failed logon attempts configured in the account lockout policy. This event fires immediately when the lockout threshold is reached and appears in the Security log on domain controllers for domain accounts or on local machines for local accounts. The event serves as both a security alert for potential attacks and a troubleshooting tool for user access issues.
How can I determine what caused a specific account lockout?+
To identify the cause of an account lockout, examine the 4740 event details for the caller computer name, then investigate Event ID 4625 (failed logon) events from that source leading up to the lockout time. Check for patterns like repeated attempts from the same IP address, which might indicate an attack, or sporadic failures that suggest legitimate user errors or service account issues. Use PowerShell to correlate these events and analyze the failure reasons and source locations.
Why do service accounts frequently trigger Event ID 4740?+
Service accounts commonly cause lockouts because they often have passwords that expire or get changed without updating all the services, applications, and scheduled tasks that use them. When these automated processes attempt to authenticate with outdated credentials, they generate multiple failed logon attempts in rapid succession, quickly reaching the lockout threshold. This is especially common with IIS application pools, SQL Server services, and scheduled tasks that run frequently.
Can Event ID 4740 help detect security attacks?+
Yes, Event ID 4740 is crucial for detecting brute force attacks, password spraying, and other malicious authentication attempts. Multiple 4740 events across different accounts within a short timeframe often indicate a coordinated attack. The caller computer name field helps identify the source of attacks, while correlation with 4625 events reveals attack patterns. Security teams should monitor for unusual lockout frequencies, especially for administrative accounts or from external IP addresses.
How do I prevent legitimate users from getting locked out frequently?+
To reduce legitimate user lockouts, implement user education about password policies, configure appropriate lockout thresholds (typically 5-10 attempts), and set reasonable lockout durations (15-30 minutes). Deploy self-service password reset solutions, monitor for applications with cached credentials, and ensure service accounts have non-expiring passwords or automated password rotation. Use Group Policy to display logon failure reasons to help users understand why their attempts are failing.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceOfficial Microsoft documentation covering Event ID 4740 and account lockout auditing configuration.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-account-lockout
2
Account Lockout Policy SettingsMicrosoft documentation on configuring account lockout policies and understanding their security implications.https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4740#account-lockout#security-events

Related Windows Events

Windows Security Event Viewer displaying Event ID 4647 user logoff events on a security monitoring dashboard
Event 4647
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff

Event ID 4647 records when a user initiates a logoff from a Windows session. This security audit event tracks user-initiated disconnections for compliance and security monitoring purposes.

March 189 min
Windows Event Viewer displaying security audit logs with Event ID 4634 logoff events on a SOC monitoring dashboard
Event 4634
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4634 – Microsoft-Windows-Security-Auditing: An Account Was Logged Off

Event ID 4634 records when a user account logs off from a Windows system. This security audit event tracks logoff activities for compliance and security monitoring purposes.

March 1812 min
Windows Event Viewer displaying security audit logs on a cybersecurity monitoring dashboard
Event 808
Security
Windows EventInformation

Windows Event ID 808 – Security: Audit Log Cleared

Event ID 808 indicates that the Windows Security audit log has been cleared, typically by an administrator or automated process. This event is critical for security monitoring and compliance tracking.

March 1712 min
Windows Event Viewer showing security event logs on a monitoring dashboard
Event 4608
Security
Windows EventInformation

Windows Event ID 4608 – Security: Windows System Startup Initialization

Event ID 4608 logs when Windows starts up and the Local Security Authority Subsystem Service (LSASS.EXE) initializes the auditing subsystem during system boot.

March 178 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...