Event ID: 4767

A user account was unlocked 

A user account was unlocked.

Subject:
    Security ID:        %4
    Account Name:       %5
    Account Domain:     %6
    Logon ID:       %7

Target Account:
    Security ID:        %3
    Account Name:       %1
    Account Domain:     %2


This event generates every time a user account is unlocked.

For user accounts, this event generates on domain controllers, member servers, and workstations.

ISO 27001:2013 A.9.2.1


Microsoft Documentation

Event ID - 4767



Name Field Insertion String OS Example
Account Name TargetUserName %1 Any Auditor
Account Domain TargetDomainName %2 Any DOMAIN
Security ID TargetSid %3 Any S-1-5-21-3457937927-2839227994-823803824-2104
Security ID SubjectUserSid %4 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %5 Any dadmin
Account Domain SubjectDomainName %6 Any DOMAIN
Logon ID SubjectLogonId %7 Any 0x30d5f

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
ISO 27001:2013 Audit Success
Audit Category:
Account Management

Audit Subcategory:
User Account Management
Legacy Events:
671

LEFT/RIGHT arrow keys for navigation

Back to List