Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to detect who unlocked a user account in Active Directory

Start your free trial

Getting locked out of their accounts is one of the most common issues that Active Directory (AD) users face, and unlocking these accounts is a task admins spend a considerable amount of time on. Any account unlocked by an unauthorized admin or a compromised admin account could have long-lasting security consequences. For this reason, it's imperative to keep track of every detail behind account unlock events. Read on to learn how to detect who unlocked a user account in AD.

Find who unlocked a user account using PowerShell:

Perform the following actions on the domain controller (DC):

  1. Press Start, and search for Windows PowerShell. Right-click it, and select Run as administrator.
  2. Type the following script into the console: Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4767} | Select-Object -Property *
How to detect who unlocked a user account
  1. Press Enter.
  2. This script will display recently unlocked user accounts. In the output, under Message → Subject → Account Name, the name and security ID of the user who unlocked the account can be seen.

Note: If you're using a workstation, run the following script in PowerShell:

Get-EventLog -LogName Security -ComputerName <DC name>| Where-Object {$_.EventID -eq 4767} | Select-Object -Property *

where is the name of the DC where the account was unlocked.

How to detect who unlocked a user account

The above steps are an exhausting and time-consuming way to retrieve the details about account unlock events, but there's an easier way to get the same results.

Introducing ManageEngine ADAudit Plus, a comprehensive AD auditing solution that provides built-in reports for critical security events such as those above. Check out how ADAudit Plus does this and much more by downloading a 30-day free trial.

Find who unlocked user accounts using ADAudit Plus

  1. Open the ADAudit Plus console and login as administrator.
  2. Navigate to Reports → Active Directory → User Management → Recently Unlocked Users.
How to detect who unlocked a user account

Although it's possible to search for account lockout events using native auditing, it becomes impossible for organizations to do this on a day-to-day basis due to the high volume of events logged. ADAudit Plus monitors account lockouts in real time, and reports on frequently locked and unlocked user accounts. Its account lockout analyzer tool allows you to discover the source of each lockout by analyzing where the cached credential was used; for instance, in scheduled tasks, Windows services, or other applications.

Follow these best practices to keep account lockouts to a minimum.

How to detect who unlocked a user account

ADAudit Plus uses user behavior analytics (UBA) to create a baseline of normal user activity, and alerts you when any user deviates from that behavior. You can also see if lockouts occurred during non-business hours; this insight can help you detect brute-force attacks and find compromised devices in your network.

 

ADAudit Plus Trusted By