How to Detect Who Unlocked a User Account in Active Directory
**How To Detect Who Unlocked a User Account in Active Directory
**
Why It is Important
Automatically locking out accounts after several unsuccessful logon attempts is a common practice, since failed logon attempts can be a sign of an intruder or malware trying to get into your IT system. Before unlocking an account, it’s wise to find out why incorrect passwords were repeatedly provided; otherwise, you increase the risk of unauthorized access to your sensitive data. Therefore, it’s important to continuously monitor which accounts get unlocked and by whom, so you can spot any that were unlocked without proper approval and respond quickly to protect your systems and data.
Native Auditing
1. Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" > Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Management:
- Audit User Account Management → Define → Success and Failures.
2. Go to Event Log → Define:
- Maximum security log size to 4gb
- Retention method for security log to "Overwrite events as needed".
3. Link the new GPO: Go to "Group Policy Management" → Right-click domain or OU → Choose Link an Existing GPO → Choose the GPO that you created.
4. Force the group policy update: In "Group Policy Management" right-click on the defined OU → Click "Group Policy Update".
5. Open Event Viewer → Search security log for event ID 4767 (A user account was unlocked).
6. Credits: Originally posted - https://www.netwrix.com/how_to_detect_who_unlocked_a_user_account.html