Event ID 4740: A User Account Was Locked Out [Fix]

Finding the source of the event is important to resolve the issue

by Loredana Harsana
Loredana Harsana
Loredana Harsana
Managing Editor
Loredana is a passionate writer with a keen interest in PC software and technology. She started off writing about mobile phones back when Samsung Galaxy S II was... read more
Updated on
Reviewed by Alex Serban
Alex Serban
Alex Serban
Windows Server & Networking Expert
After moving away from the corporate work-style, Alex has found rewards in a lifestyle of constant analysis, team coordination and pestering his colleagues. Holding an MCSA Windows Server... read more
Affiliate Disclosure
  • Event ID 4740 comes up in the security log when a user account is locked out in Windows. 
  • Here we will discuss the event and how we can find out what caused it.
Event ID 4740 A User Account Was Locked Out [Fix]

XINSTALL BY CLICKING THE DOWNLOAD FILE
To fix various PC problems, we recommend Restoro PC Repair Tool:
This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues and remove viruses now in 3 easy steps:

  1. Download Restoro PC Repair Tool that comes with Patented Technologies (patent available here).
  2. Click Start Scan to find Windows issues that could be causing PC problems.
  3. Click Repair All to fix issues affecting your computer's security and performance
  • Restoro has been downloaded by 0 readers this month.

If a user account is locked out, event ID 4740 is added to domain controllers, and event ID 4625 appears on client computers. It is generated when an account is locked due to too many failed attempts.

The event has all the information about the user account that was locked out, the time of the lockout, and the source of the failed login attempts (caller computer name).

In this guide, we will discuss all the reasons for the event ID 4740 and how to find the source of account lockouts.

Tip icon
Tip
The event ID for an account lockout event may vary depending on the version of Windows and the security product used.

What causes Event ID 4740, a user account might be locked out?

There are various reasons for the event to be generated. Some of the popular ones are mentioned here:

  • Too many failed login attempts – If a user inputs an incorrect password several times, their account may be locked out to stop further attempts.
  • Password expiration – The account may be locked out if a user’s password has expired until they reset their password.
  • Group Policy settings – Your organization may have set Group Policy settings that lock out the user accounts after a specific number of failed login attempts or after a particular time.

What can I do to determine the source of the Event ID 4740 account lockout?

1. Enable Auditing for event 4740

  1. Click on the Search icon, type Group Policy Management, and click Open.
  2. Under Domain, right-click on Default Domain Controllers Policy and select Edit.Default Domain Controllers Policy
  3. Now on the next window, follow this path: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management
  4. On the right pane, double-click on Audit User Account ManagementSuccess 2
  5. Put a checkmark on Success and Failure on the Audit user account management properties window.Event ID 4740 -Audit user account management properties
  6. Click Apply and OK.

2. Use PowerShell to find the PDC emulator role 

  1. Click on the Search icon, type PowerShell, and click Open.Powershell Server
  2. Type the following command to know the domain controller that holds the PDC role and press Enter: get-addomain | select PDCEmulator
  3. To search the lockout events, copy and paste the following command and press Enter: Get-WinEvent -FilterHashtable @{logname=’security’; id=4740}
  4. To display event details, copy and paste the following command and press Enter: Get-WinEvent -FilterHashtable @{logname=’security’; id=4740} | fl
  5. You will get the list of logon events.

3. Use Event Viewer

  • Click on the Search icon, type Event Viewer, and click Open.Event Viewer
  • On the left pane, go to Windows Logs, then click Security.
  • From the right pane, select Filter Current Log.Event Viewer 2
  • Search 4740 and click OK. Filter log - Event ID 4740
  • You will get a list of events Click on the event and check out the details of the source.

4. Use the Microsoft Lockout Status tool

  1. Download and Install LockoutStatus.exe
  2. Click the Search icon, type lockoutstatus, and click Open.Lockout status
  3. The app will check all the lockout events with all the instances, sources, and additional details.

5. Use a third-party tool

Expert tip:

SPONSORED

Some PC issues are hard to tackle, especially when it comes to corrupted repositories or missing Windows files. If you are having troubles fixing an error, your system may be partially broken.
We recommend installing Restoro, a tool that will scan your machine and identify what the fault is.
Click here to download and start repairing.

Using a free Active Directory troubleshooting tool like NetTools helps to troubleshoot, update queries, and report Active Directory and other Lightweight Directory Access Protocol directories. It is a portable executable file that allows you to view and troubleshoot Active Directory permissions. 

NetTools searches the event logs to locate events relevant to the account on the selected domain controller. Also, it can find the event logs of any member servers in the authentication chain and can display the information related to the reason for the lockout. To know the source, follow these steps: 

  1. Download NetTools.
  2. Extract the zip file and run the executable file.
  3. The tool will launch on the left pane; under Users, select Last Logon.NetTools - Event ID 4740
  4. Enter the Username and Server, and click Go.Last logon
  5. NetTools will show you all the login details.Last logon bad password
  6. Sort the results using the BadPwd column. The first entry on the list will be when the account was last locked.
  7. To get details, right-click the domain controller with the previous lockout time and choose Display Event Details.Event Details -Event ID 4740:

So, these are the easiest ways to find out the source of account lockout event ID 4740. Once you get the source, you can easily take steps to prevent it from happening.

Have you already tried some of these solutions? Or maybe you know of other methods to solve this Windows event ID? Feel free to share your expertise with us via the comments section below.

Still having issues? Fix them with this tool:

SPONSORED

If the advices above haven't solved your issue, your PC may experience deeper Windows problems. We recommend downloading this PC Repair tool (rated Great on TrustPilot.com) to easily address them. After installation, simply click the Start Scan button and then press on Repair All.

This article covers:Topics: