How to Find Out Who Unlocked a User Account in AD on Server 2012 R2

Due to increased risk of unauthorized access to your sensitive data on servers is important for the Administrator to know what is happening , why accounts are being locked and of course who unlocked the accounts.  Therefore, it’s important to continuously monitor which accounts get unlocked and by whom, so you can spot any that were unlocked without proper approval and respond quickly to protect your systems and data.

Here is how we setup the audit in Active Directory on Windows Server 2012 R2 via Group Policy:

1. Run gpedit.msc → Create a new GPO → Edit it: Go to “Computer Configuration” → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Management:

  • Audit User Account Management → Define → Success and Failures.

2. Go to Event Log → Define:

  • Maximum security log size to 4gb
  • Retention method for security log to “Overwrite events as needed”.

3. Link the new GPO: Go to “Group Policy Management” → Right-click domain or OU → Choose Link an Existing GPO → Choose the GPO that you created.

4. Force the group policy update: In “Group Policy Management” right click on the defined OU → Click “Group Policy Update”.

5. Open Event Viewer → Search security log for event ID 4767 (A user account was unlocked).

Once you find the event # 4767 in viewer you will see under the general tab all the action – who UNLOCKED the account in question.

Here is simple PowerShell command to search for Lockedout Accounts:

Search-ADAccount –LockedOut

It will list all your Lockedout accounts so you can start investigating 🙂