SOC Event Lookup
Event ID 4767AccountMgmtP2

Windows Event ID 4767: A user account was unlocked

Windows Security Event ID 4767 records that a locked-out user account was unlocked, logging the Subject who performed the unlock and the Target Account that was unlocked.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-12

Trigger Scenarios

A domain admin or help-desk operator unlocks an account through the ADUC console, PowerShell, or a self-service portal after a lockout. In an attack context, an adversary who has triggered a lockout on their own account or a captured account may unlock it themselves using separately obtained admin credentials to restore operational access.

Key Fields

Target Account\Account Name / Security ID

The account that was unlocked. Unlocking a domain admin or service account outside a help-desk ticket is the primary T1098 Account Manipulation signal; compare with the 4740 lockout record for the same account to confirm the unlock follows the lockout immediately.

Subject\Account Name / Logon ID

The identity that performed the unlock. Per the Microsoft Security Monitoring Recommendation, every 4767 for a local account should be reviewed. For domain accounts, an unlock performed by an account that is not in the authorized help-desk group or that originates from an unusual workstation warrants investigation.

Common False Positives

  • Help-desk operations routinely unlock accounts after user-initiated lockouts from stale passwords on mobile devices or mapped drives.
  • Automated self-service portals produce 4767 events with a service-account Subject when users reset their own passwords.

Related Events

MITRE ATT&CK Mapping

  • T1098Account Manipulation

Detection Notes

Event 4767 has no status or failure-code field. For T1098, flag a 4740 lockout followed by 4767 within 60 minutes where Subject is outside the help-desk group, then join Subject Logon ID to a Type 10 4624; this is an identity-based exception to the numeric-value rule.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4767
| project TimeGenerated, Computer, SubjectUserName, TargetUserName, SubjectLogonId
Splunk SPL
index=wineventlog EventCode=4767
| table _time, host, SubjectUserName, TargetUserName, SubjectLogonId
Sample Log
Subject:
  Security ID: CORP\attacker-admin
  Account Name: attacker-admin
  Account Domain: CORP
  Logon ID: 0x7C3E10
Target Account:
  Security ID: CORP\da-account
  Account Name: da-account
  Account Domain: CORP

Source