Last active
August 16, 2021 12:52
-
-
Save 9to5IT/9620354 to your computer and use it in GitHub Desktop.
PowerShell: Get-WinEvent to find Account Lockout Events
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#requires -version 2 | |
<# | |
.SYNOPSIS | |
Lists date, time and machine name where the specified account was locked. Used for troubleshooting account lockout issues. | |
.DESCRIPTION | |
This script outputs to specified file all of the recent account lockouts that have occurred for the specified user. The results returned are the machine name where this has occurred and the data & time it occurred at. This script is very useful for troubleshooting account lockout issues. | |
Note: This script only searches current security logs on the domain controllers specified within the $DCs variable | |
.PARAMETER None | |
.INPUTS Username | |
Via Input Box. Specify the username that you want to search account lock-outs for. Note: Do not put the domain name before the user (e.g. ). | |
.INPUTS LogFilePath | |
Via Input Box. Specify the full path of where the results log file should be saved. Example: C:\Logs\AccountLockouts.txt. | |
.OUTPUTS | |
Log file stored in the location specified by the LogFilePath input. | |
.NOTES | |
Version: 1.0 | |
Author: Luca | |
Creation Date: 06.08.2012 | |
Purpose/Change: Initial script development | |
.EXAMPLE | |
None - run this script via PowerShell interface (right-click script and select Run with PowerShell) | |
#> | |
#---------------------------------------------------------[Initialisations]-------------------------------------------------------- | |
#Set Error Action to Silently Continue | |
$ErrorActionPreference = "SilentlyContinue" | |
#----------------------------------------------------------[Declarations]---------------------------------------------------------- | |
#Arrays used to process results & output | |
$aLockOutDetails = @() | |
$aOutput = @() | |
#List of DCs to search security logs for | |
$DCs = "dc_name1", "dc_name2", "dc_name3", "dc_name4", "dc_name5", "dc_name6" | |
#-----------------------------------------------------------[Execution]------------------------------------------------------------ | |
#Prompt user to enter data | |
$sUsername = read-host -prompt "Enter the user you want to search account lockouts for. Note: Do not put the domain name before the user (e.g. )" | |
$sLogPath = read-host -prompt "Enter the full path of where you want to save the results (including file name). Example: C:\Logs\AccountLockouts.txt" | |
#Check data entered by user | |
If(!$sUsername -Or !$sLogPath){ | |
$oMsgBox = New-Object -ComObject Wscript.Shell | |
$oMsgBox.Popup("No username or log path entered. Script exiting.",0,"Error!") | |
Exit | |
} | |
#Collect result from each DC & store in aLockOutDetails array | |
ForEach($DC in $DCs){ | |
$Results = Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4740} -ComputerName $DC | Select Message, TimeCreated | |
ForEach($Result in $Results){ | |
[string]$Item = $Result.Message | |
If($Item.IndexOf($sUsername) -gt 0){ | |
$sMachineName = $Item.SubString($Item.IndexOf("Caller Computer Name")) | |
$sMachineName = $sMachineName.TrimStart("Caller Computer Name :") | |
$sMachineName = $sMachineName.TrimEnd("}") | |
$sMachineName = $sMachineName.Trim() | |
$sMachineName = $sMachineName.TrimStart("\\") | |
#Set required info into hashtable | |
$hItemDetails = New-Object -TypeName psobject -Property @{ | |
MachineName = $sMachineName | |
TimeCreated = $Result.TimeCreated | |
} | |
#Add each item hash table to array | |
$aLockOutDetails += $hItemDetails | |
} | |
} | |
} | |
#Check if any results found & format for output | |
If($aLockOutDetails.Length -eq 0){ | |
$aOutput += "Account lock-out results for: $sUsername" | |
$aOutput += " " | |
$aOutput += " " | |
$aOutput += "No results found." | |
}Else{ | |
#Format output for log file | |
$aOutput += "Account lock-out results for: $sUsername" | |
$aOutput += " " | |
$aOutput += " " | |
$aOutput += "Machine Name`t`t`t`t`t`t`tDate & Time" | |
$aOutput += "------------------------------------------------------------------------------------" | |
ForEach($Line in $aLockOutDetails){ | |
$sMachine = $Line.MachineName | |
$sDate = $Line.TimeCreated | |
$aOutput += "$sMachine`t`t`t`t`t`t`t$sDate" | |
} | |
} | |
#Output to log file | |
$aOutput | Set-Content $sLogPath | |
#Pause for 2 seconds | |
Start-Sleep -Seconds 2 | |
#Open Log file in notepad.exe | |
Notepad.exe $sLogPath |
Hi! Do you know if this also be modified to search for all lockouts, not just a particular user?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you wan't to search all DCs within the domain its easier to declare $DCs as the following. Borrowed from [morgantechspace]https://www.morgantechspace.com/2015/06/list-ad-domain-controllers-using-powershell.html)
# Find Domain Controllers from current Domain: $DCs = [System.Directoryservices.ActiveDirectory.Domain]::GetCurrentDomain() | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}