ScriptingPro/LockoutFinder.ps1

## LockoutFinder.ps1
Import-Module ActiveDirectory

$samID = "USERIDHERE"

$Host.UI.RawUI.WindowTitle = "Finding lockouts for $samID"  #change window title just incase we have multiple running

$DCs = Get-ADDomainController -Filter * | select -ExpandProperty name

# do infinite loop, sleeping for 60 seconds each iteration, and when i find the account locked search for lockout source and log it
do{
    Get-ADUser $samID -Properties Lockedout | ?{$_.LockedOut -eq $true} | %{
        $datetime = [datetime]::now
        Write-Host "$datetime Found $samID Account Locked; Searching Events" -ForegroundColor Yellow
        foreach($DC in $DCs){
            Get-WinEvent -ComputerName $DC -Logname Security -FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$samID']]" | fl * | Out-File "$($datetime.tostring('yyyyMMdd_HHmm'))_4740_$($DC).txt"
        }
        start-sleep 60
    }
}
while($true)
	Import-Module ActiveDirectory

	$samID = "USERIDHERE"

	$Host.UI.RawUI.WindowTitle = "Finding lockouts for $samID" #change window title just incase we have multiple running

	$DCs = Get-ADDomainController -Filter * \| select -ExpandProperty name

	# do infinite loop, sleeping for 60 seconds each iteration, and when i find the account locked search for lockout source and log it
	do{
	Get-ADUser $samID -Properties Lockedout \| ?{$_.LockedOut -eq $true} \| %{
	$datetime = [datetime]::now
	Write-Host "$datetime Found $samID Account Locked; Searching Events" -ForegroundColor Yellow
	foreach($DC in $DCs){
	Get-WinEvent -ComputerName $DC -Logname Security -FilterXPath "[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$samID']]" \| fl \| Out-File "$($datetime.tostring('yyyyMMdd_HHmm'))_4740_$($DC).txt"
	}
	start-sleep 60
	}
	}
	while($true)