4740

A user account was locked out

A user account was locked out after exceeding the configured threshold of consecutive failed logon attempts.

Event ID 4740 documents that an Active Directory user account or local account has been locked out due to excessive consecutive authentication failures. This event is logged on Domain Controllers (if a domain account) or local machines (if a local account) and records the target account name alongside the 'Caller Computer Name' that originated the failed attempts that triggered the lockout.

Failure Reason / Root Cause:

Repeated authentication failures from cached old passwords on mobile/remote devices, aggressive brute-force attacks, or credential stuffing.

CategoryAccount Management
Audit typeSuccess Audit
SeverityHigh
Applies toWindows Server 2016, 2019, 2022 / Windows 10, 11
Keywordslockout, locked out, caller computer, threshold, domain controller, active directory
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4740</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-07-17T09:54:44.901Z" />
    <EventRecordID>1048576</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="1024" />
    <Channel>Security</Channel>
    <Computer>DC01.enterprise.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <!-- Event telemetry fields specific to A user account was locked out -->
  </EventData>
</Event>

MITRE ATT&CK mapping

IDTechniqueTactic
T1110Brute ForceCredential Access
T1531Account Access RemovalImpact

Recommended actions

Related events