Account Lockout Event ID – Find the Source of Account Lockouts

Trying to figure out why an account keeps getting locked out?

When an Active Directory account gets locked out, Event ID 4740 is logged on the domain controller and Event ID 4625 is logged on the source computer. Together, these two events help you identify what is causing the lockout and where it’s coming from.

In this guide, I’ll show you how to find both events and trace the lockout back to the source.

What is Event ID 4740 – A user account was locked out

A domain controller will log event 4740 when a user account gets locked out. This event is not replicated so you either need to search all domain controllers or find the DC that holds the PDC emulator FSMO role. This event tells your three things.

• The account that was locked out
• The time it happened
• The caller computer name (the source of the lockout)

This event is logged in the Security log under the category “Account Management.” To view it, open Event Viewer on the domain controller and filter the Security log for Event ID 4740.

Event ID 4740 Example

What is Event ID 4625 – An account failed to log on

Event ID 4625 is logged on the client computer when an account fails to logon or is locked out. This event will be logged for local and domain user accounts. The event is useful for troubleshooting repeat lockouts as it provides more details than the 4740 events. You will need to use both Event ID 4740 and Event ID 4625 to troubleshoot account lockouts.

Event ID 4625 Example

How to Enable Account Lockout Events

Before Windows will log account lockout events the lockout policy and audit logs need to be configured. Refer to the Account Lockout Policy configuration guide for steps on creating a lockout policy. See the steps below to enable the audit log policy.

Step 1. Open Group Policy Management Console

This can be from the domain controller or any computer that has the RSAT tools installed.

Step 2. Modify Default Domain Controllers Policy

Browse to the Default Domain Controllers Policy, right-click, and select edit. You can also create a new GPO on the “Domain Controllers” OU if you prefer to not edit the default GPO.

Browse to computer configuration -> Policies ->Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management

Enable success and failure for the Audit User Account Management policy.

Next, enable the following:

computer configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Logon

Enable Success and Failure for Audit Kerberos Authentication Service.

Step 3: Modify Default Domain Policy

The settings below will enable lockout event 4625 and failed logon attempts on client computers.

Browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration – Logon/Logoff

• Audit Account Lockout – Success and Failure
• Audit Logoff – Success and Failure
• Audit Logon – Success and Failure
• Audit Other Logon/Logon Events – Success and Failure

Auditing is now turned on and event 4740 will be logged in the security events logs when an account is locked out. In addition, the Kerberos logs are enabled which will log authentication failures with the lockout. Sometimes event 4740 does not log the source computer and the Kerberos logs provide additional details.

How to Find the Source of Account Lockouts

To find the account lockout source start by getting the event ID 4740 on the domain controller.

Step 1. Open Event Viewer on your domain controller

Step 2. Open the event viewer on a domain controller, right click the security logs and select “Filter Current Log”. Next, enter 4740 into the Includes/Excludes box and click “OK”.

You should now see a list of all 4740 events.

Step 3. Click on one of the 4740 events to display the details.

In the screenshot above I highlighted the most important details from the lockout event.

• Security ID & Account Name – This is the name of the locked out account.
• Caller Computer Name – This is the computer that the lockout occurred from.
• Logged – This is the time of the account lockout.

Step 4. Once you have the source computer (caller computer), go to that machine and check Event ID 4625 in the Security log. This will tell you the reason for the failed logons (wrong password, expired account, cached credentials, etc.)

In the screenshot above you can see event 4625 provides details such as the Logon Type and the caller process. The logon type is very important as this will help determine the cause of the lockouts.

Event 4625 will also be generated each time a user enters a wrong username or password.

Using both event ID 4740 and 4625 you can track when and where account lockouts are occurring. The problem is this can be very time consuming when you have multiple domain controllers and multiple lockout events. In the next section, I’ll show you a faster and easier way to get lockout events.

Find Lockout Sources Faster with AD Pro Toolkit

Instead of manually digging through event logs on every domain controller, the AD Pro Toolkit finds the lockout source in one click. It searches all domain controllers, identifies the caller computer, and shows you the results in a single dashboard.

Step 1. Click on Users > Lockout Troubleshooter

Step 2. Click Scan. This will find all locked users and get the lockout events from all your domain controllers.

In the example below, you can see it found two locked users and is displaying all the 4740 lockout events from all domain controllers. In about two seconds I was able to find which computer the account lockouts are coming from. Download a Free Trial and try it out.

Event 4625 Logon Types Explained

The logon type is very important as this is how the users tried to authenticate. See the table below for a reference of the 4625 logon types.

Now let’s look at a few examples.

Logon Type 2

In this example, I tried to logon to PC1 locally. It generated event 4625 with the logon type 2. Users typically logon while sitting in front of their computer or have console access so it is common to see a lot of logon type 2.

Logon Type 10

In this example, I used RDP to try and logon to PC1. I entered the wrong password so event 4625 was logged with logon type 10.

That should help you to understand how to use the 4625 event to troubleshoot failed logons and account lockouts.

Refer to the Microsoft Event 4625 documentation for more details on this event ID.

Common Causes of Account Lockouts

There are several reasons why Active Directory accounts get locked out. Below are the most common causes to check.

• Cached credentials on other devices the user has logged into.
• Mapped network drives using old credentials
• Service accounts with an expired or changed password
• Scheduled tasks configured with outdated credentials
• Mobile devices connected to Exchange or Wi-Fi with a saved password
• Applications like Outlook, Teams, or VPN clients storing old passwords

Account Lockout Quick Reference

• Event ID 4740 – logged on the domain controller, shows which account was locked out and the source computer.
  • Check for this event on each domain controller
• Event ID 4625 – logged on the source computer, shows why authentication failed and the logon type.
• Caller Computer Name is blank – Often due to cached credentials, service accounts, mapped drives, and scheduled tasks
• Most common logon types
  • Logon Type 2 – interactive logon (local keyboard/console
  • Logon Type 3 – network logon (mapped drives, file shares)
  • Logon Type 10 – remote interactive (RDP sessions)