How account in AD can unlock itself

2021-06-21T06:26:03.573+00:00

Hello!

I found event 4767 in my DC, when account get unlock by itself. I also found events of success logon, logout and change password at the same time (diff by couple ms).
How can this be? This behevior can be when password has expires and user must change it?

This account can reset user's password by AD console (has delegation in AD).

{
"Event": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event",
"System": {
"Provider": {
"Name": "Microsoft-Windows-Security-Auditing",
"Guid": "{ХХХХ}"
},
"EventID": "4767",
"Version": "0",
"Level": "0",
"Task": "13824",
"Opcode": "0",
"Keywords": "0x8020000000000000",
"TimeCreated": {
"SystemTime": "2021-06-15T06:58:47.887623800Z"
},
"EventRecordID": "9696810886",
"Correlation": null,
"Execution": {
"ProcessID": "560",
"ThreadID": "8644"
},
"Channel": "Security",
"Computer": "dc01.contoso.com",
"Security": null
},
"EventData": {
"Data": [
{
"text": "JohnD",
"Name": "TargetUserName"
},
{
"text": "CONTOSO",
"Name": "TargetDomainName"
},
{
"text": "S-1-5-SAME_SID",
"Name": "TargetSid"
},
{
"text": "S-1-5-SAME_SID",
"Name": "SubjectUserSid"
},
{
"text": "JohnD",
"Name": "SubjectUserName"
},
{
"text": "CONTOSO",
"Name": "SubjectDomainName"
},
{
"text": "XXXXX",
"Name": "SubjectLogonId"
}
]
}
}
}

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,211 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Fan Fan 15,321 Reputation points Microsoft Vendor
    2021-06-21T07:45:43.79+00:00

    Hi,

    Users may be allowed to unlock themself by some tolls, but i didn't tried.
    https://community.spiceworks.com/topic/1335007-any-way-to-give-users-a-way-to-unlock-themselves-in-an-ad-environment

    Based on my understanding, there are events for the lock and unlock and password changes. You have already enabled the accounts manage audit policy, right?
    If possible, would you please share the screenshot? (You can hide the private information).
    Also, did you confirm where did the changes made from?

    This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

    Best Regards,