Created
May 11, 2022 21:43
-
-
Save kewalaka/09b7875c8ba6508fd9b107cf501a9af9 to your computer and use it in GitHub Desktop.
Get-LockOutLocation scans domain controller event logs to find machines where a user account is being locked out.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -Version 2.0 | |
Function Get-LockedOutLocation | |
{ | |
<# | |
.SYNOPSIS | |
This function will locate the computer that processed a failed user logon attempt which caused the user account to become locked out. | |
.DESCRIPTION | |
This function will locate the computer that processed a failed user logon attempt which caused the user account to become locked out. | |
The locked out location is found by querying the PDC Emulator for locked out events (4740). | |
The function will display the BadPasswordTime attribute on all of the domain controllers to add in further troubleshooting. | |
.EXAMPLE | |
PS C:\>Get-LockedOutLocation -Identity Joe.Davis | |
This example will find the locked out location for Joe Davis. | |
.NOTE | |
This function is only compatible with an environment where the domain controller with the PDCe role to be running Windows Server 2008 SP2 and up. | |
The script is also dependent the ActiveDirectory PowerShell module, which requires the AD Web services to be running on at least one domain controller. | |
Author:Jason Walker | |
Last Modified: 3/20/2013 | |
#> | |
[CmdletBinding()] | |
Param( | |
[Parameter(Mandatory=$True)] | |
[String]$Identity | |
) | |
Begin | |
{ | |
$DCCounter = 0 | |
$LockedOutStats = @() | |
Try | |
{ | |
Import-Module ActiveDirectory -ErrorAction Stop | |
} | |
Catch | |
{ | |
Write-Warning $_ | |
Break | |
} | |
}#end begin | |
Process | |
{ | |
#Get all domain controllers in domain | |
$DomainControllers = Get-ADDomainController -Filter * | |
$PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"}) | |
Write-Verbose "Finding the domain controllers in the domain" | |
Foreach($DC in $DomainControllers) | |
{ | |
$DCCounter++ | |
Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter/$DomainControllers.Count) * 100) | |
Try | |
{ | |
$UserInfo = Get-ADUser -Identity $Identity -Server $DC.Hostname -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut -ErrorAction Stop | |
} | |
Catch | |
{ | |
Write-Warning $_ | |
Continue | |
} | |
If($UserInfo.LastBadPasswordAttempt) | |
{ | |
$LockedOutStats += New-Object -TypeName PSObject -Property @{ | |
Name = $UserInfo.SamAccountName | |
SID = $UserInfo.SID.Value | |
LockedOut = $UserInfo.LockedOut | |
BadPwdCount = $UserInfo.BadPwdCount | |
BadPasswordTime = $UserInfo.BadPasswordTime | |
DomainController = $DC.Hostname | |
AccountLockoutTime = $UserInfo.AccountLockoutTime | |
LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime() | |
} | |
}#end if | |
}#end foreach DCs | |
$LockedOutStats | Format-Table -Property Name,LockedOut,DomainController,BadPwdCount,AccountLockoutTime,LastBadPasswordAttempt -AutoSize | |
#Get User Info | |
Try | |
{ | |
Write-Verbose "Querying event log on $($PDCEmulator.HostName)" | |
$LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending | |
} | |
Catch | |
{ | |
Write-Warning $_ | |
Continue | |
}#end catch | |
Foreach($Event in $LockedOutEvents) | |
{ | |
If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value}) | |
{ | |
$Event | Select-Object -Property @( | |
@{Label = 'User'; Expression = {$_.Properties[0].Value}} | |
@{Label = 'DomainController'; Expression = {$_.MachineName}} | |
@{Label = 'EventId'; Expression = {$_.Id}} | |
@{Label = 'LockedOutTimeStamp'; Expression = {$_.TimeCreated}} | |
@{Label = 'Message'; Expression = {$_.Message -split "`r" | Select -First 1}} | |
@{Label = 'LockedOutLocation'; Expression = {$_.Properties[1].Value}} | |
) | |
}#end ifevent | |
}#end foreach lockedout event | |
}#end process | |
}#end function |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment