Windows Event ID 4767: A user account was unlocked
Windows Security Event ID 4767 records that a locked-out user account was unlocked, logging the Subject who performed the unlock and the Target Account that was unlocked.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-12
Trigger Scenarios
A domain admin or help-desk operator unlocks an account through the ADUC console, PowerShell, or a self-service portal after a lockout. In an attack context, an adversary who has triggered a lockout on their own account or a captured account may unlock it themselves using separately obtained admin credentials to restore operational access.
Key Fields
Target Account\Account Name / Security ID
The account that was unlocked. Unlocking a domain admin or service account outside a help-desk ticket is the primary T1098 Account Manipulation signal; compare with the 4740 lockout record for the same account to confirm the unlock follows the lockout immediately.
Subject\Account Name / Logon ID
The identity that performed the unlock. Per the Microsoft Security Monitoring Recommendation, every 4767 for a local account should be reviewed. For domain accounts, an unlock performed by an account that is not in the authorized help-desk group or that originates from an unusual workstation warrants investigation.
Common False Positives
- Help-desk operations routinely unlock accounts after user-initiated lockouts from stale passwords on mobile devices or mapped drives.
- Automated self-service portals produce 4767 events with a service-account Subject when users reset their own passwords.
Related Events
MITRE ATT&CK Mapping
- T1098Account Manipulation
Detection Notes
Event 4767 has no status or failure-code field. For T1098, flag a 4740 lockout followed by 4767 within 60 minutes where Subject is outside the help-desk group, then join Subject Logon ID to a Type 10 4624; this is an identity-based exception to the numeric-value rule.
SecurityEvent
| where EventID == 4767
| project TimeGenerated, Computer, SubjectUserName, TargetUserName, SubjectLogonIdindex=wineventlog EventCode=4767
| table _time, host, SubjectUserName, TargetUserName, SubjectLogonIdSubject:
Security ID: CORP\attacker-admin
Account Name: attacker-admin
Account Domain: CORP
Logon ID: 0x7C3E10
Target Account:
Security ID: CORP\da-account
Account Name: da-account
Account Domain: CORP