Skip to content

Instantly share code, notes, and snippets.

@ScriptingPro
Last active February 16, 2024 00:41
Show Gist options
  • Save ScriptingPro/cac844ff7ae94e8cecaea7544c6d357f to your computer and use it in GitHub Desktop.
Save ScriptingPro/cac844ff7ae94e8cecaea7544c6d357f to your computer and use it in GitHub Desktop.
Find the source of AD user's account lockouts
Import-Module ActiveDirectory
$samID = "USERIDHERE"
$Host.UI.RawUI.WindowTitle = "Finding lockouts for $samID" #change window title just incase we have multiple running
$DCs = Get-ADDomainController -Filter * | select -ExpandProperty name
# do infinite loop, sleeping for 60 seconds each iteration, and when i find the account locked search for lockout source and log it
do{
Get-ADUser $samID -Properties Lockedout | ?{$_.LockedOut -eq $true} | %{
$datetime = [datetime]::now
Write-Host "$datetime Found $samID Account Locked; Searching Events" -ForegroundColor Yellow
foreach($DC in $DCs){
Get-WinEvent -ComputerName $DC -Logname Security -FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$samID']]" | fl * | Out-File "$($datetime.tostring('yyyyMMdd_HHmm'))_4740_$($DC).txt"
}
start-sleep 60
}
}
while($true)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment