This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 59%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hi,
We have Domain Controller & Additional Domain controller in our environment. From last few days false event ID 4740 getting generated continuously for every second for Domain controller Administrator ID. Administrator account is not getting locked but event ID 4740 getting generates in Security event. We have not used administrator account for any service.
Thanks & Regards,
Sachin Shinde
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 90%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.
Hi,
I have checked for 4625 event but not found single event for parrot ID. Also tried to run rundll32 keymgr.dll,KRShowKeyMgr command but got below result.
Any other option to find running processes using same ID.
Thanks,
Sachin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hi,
Thank you so much for your kindly reply.
From the event 4771 recorded for parrot account, please have a check of the client address. Is it the same server with the caller computer name recorded on the event 4740?
If the client address on the event 4771 indicated another server, please log on to that server and then check the event 4625 to trace the process name. And check possible causes as mentioned before.
For any question, please feel free to let me know.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hi,
Thanks for response. In client address no IP is showing.
Thanks,
Sachin Shinde
Hi Sachin,
Thank you so much for your kindly reply.
Could we confirm which devices this account Parrot would log on to? If so, we could log on to those devices for checking.
Besides, does this issue keep happening? How about the frequency of the issue reproduces?
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 66%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I'm also getting the same problem within a production environment and it is happening with several users and when I asked users about their account locked out, users have no answer for that like they haven't gotten any locked out prompt on their screen.
I have searched for all the logs within that specific DC but didn't get any information about the origin of that log or any reason for the account being locked out.
There is several DC configured in my environment but this is happening with only 3 DC.