Windows Event ID 4740: A user account was locked out
Windows Security Event ID 4740 records a domain account lockout and is a key correlation point for brute-force activity and stale credential troubleshooting.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
A domain controller generates the event when failed authentication reaches the configured account-lockout threshold.
Key Fields
Account That Was Locked Out
The affected account. Determine whether it is a user, privileged, service, or shared identity.
Caller Computer Name
The computer that submitted the failed credentials. This is often the fastest path to the underlying source.
Subject
The domain controller context that recorded the lockout; it is not necessarily the user who caused it.
Common False Positives
- Stale credentials in services, mobile devices, and mapped drives commonly cause lockouts.
- Users can lock themselves out by repeatedly entering an old password.
Related Events
MITRE ATT&CK Mapping
- T1110Brute Force
Detection Notes
T1110 brute force is distinguished through Caller Computer Name and policy values: repeated lockouts from one caller across many Target Accounts inside one Account Lockout Observation Window are spray-like, while one account locked from many callers often reflects stale credentials. Correlate preceding 4625 Sub Status 0xC000006A (bad password) versus 0xC0000072 (disabled account); only the former normally drives password-lockout behavior. Compare counts with the configured Account Lockout Threshold before alerting.
SecurityEvent
| where EventID == 4740
| project TimeGenerated, Computer, TargetAccount, CallerComputerName
| order by TimeGenerated descindex=wineventlog EventCode=4740
| table _time, host, TargetUserName, CallerComputerNameAccount That Was Locked Out: CORP\jsmith
Caller Computer Name: WS-014
Computer: DC01