How account in AD can unlock itself

Question

Hello!

I found event 4767 in my DC, when account get unlock by itself. I also found events of success logon, logout and change password at the same time (diff by couple ms).
How can this be? This behevior can be when password has expires and user must change it?

This account can reset user's password by AD console (has delegation in AD).

{
"Event": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event",
"System": {
"Provider": {
"Name": "Microsoft-Windows-Security-Auditing",
"Guid": "{ХХХХ}"
},
"EventID": "4767",
"Version": "0",
"Level": "0",
"Task": "13824",
"Opcode": "0",
"Keywords": "0x8020000000000000",
"TimeCreated": {
"SystemTime": "2021-06-15T06:58:47.887623800Z"
},
"EventRecordID": "9696810886",
"Correlation": null,
"Execution": {
"ProcessID": "560",
"ThreadID": "8644"
},
"Channel": "Security",
"Computer": "dc01.contoso.com",
"Security": null
},
"EventData": {
"Data": [
{
"text": "JohnD",
"Name": "TargetUserName"
},
{
"text": "CONTOSO",
"Name": "TargetDomainName"
},
{
"text": "S-1-5-SAME_SID",
"Name": "TargetSid"
},
{
"text": "S-1-5-SAME_SID",
"Name": "SubjectUserSid"
},
{
"text": "JohnD",
"Name": "SubjectUserName"
},
{
"text": "CONTOSO",
"Name": "SubjectDomainName"
},
{
"text": "XXXXX",
"Name": "SubjectLogonId"
}
]
}
}
}

Answer 1

Hi,

Users may be allowed to unlock themself by some tolls, but i didn't tried.
https://community.spiceworks.com/topic/1335007-any-way-to-give-users-a-way-to-unlock-themselves-in-an-ad-environment

Based on my understanding, there are events for the lock and unlock and password changes. You have already enabled the accounts manage audit policy, right?
If possible, would you please share the screenshot? (You can hide the private information).
Also, did you confirm where did the changes made from?

This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

Best Regards,