SOC Event Lookup
Event ID 4740AccountMgmtP1

Windows Event ID 4740: A user account was locked out

Windows Security Event ID 4740 records a domain account lockout and is a key correlation point for brute-force activity and stale credential troubleshooting.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

A domain controller generates the event when failed authentication reaches the configured account-lockout threshold.

Key Fields

Account That Was Locked Out

The affected account. Determine whether it is a user, privileged, service, or shared identity.

Caller Computer Name

The computer that submitted the failed credentials. This is often the fastest path to the underlying source.

Subject

The domain controller context that recorded the lockout; it is not necessarily the user who caused it.

Common False Positives

  • Stale credentials in services, mobile devices, and mapped drives commonly cause lockouts.
  • Users can lock themselves out by repeatedly entering an old password.

Related Events

MITRE ATT&CK Mapping

  • T1110Brute Force

Detection Notes

T1110 brute force is distinguished through Caller Computer Name and policy values: repeated lockouts from one caller across many Target Accounts inside one Account Lockout Observation Window are spray-like, while one account locked from many callers often reflects stale credentials. Correlate preceding 4625 Sub Status 0xC000006A (bad password) versus 0xC0000072 (disabled account); only the former normally drives password-lockout behavior. Compare counts with the configured Account Lockout Threshold before alerting.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4740
| project TimeGenerated, Computer, TargetAccount, CallerComputerName
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4740
| table _time, host, TargetUserName, CallerComputerName
Sample Log
Account That Was Locked Out: CORP\jsmith
Caller Computer Name: WS-014
Computer: DC01

Source