Scan all DCs looking for a logon/logoff/lockout event

Scan-Events.ps1

<#
.SYNOPSIS
    Scan-Lockouts
    Go round the DCs looking for account activity
.PARAMETER Minutes
    How many minutes to look back over (default 15)
.PARAMETER AccountName
    Account to search for
.PARAMETER Event
    One of either Logon, LogOff, or Lockout
.EXAMPLE
    Scan-Lockouts.ps1 -Minutes 30 -AccountName lansalot
#>
Param(
    [Parameter(Mandatory=$true)][int] $Minutes = 15,
    [string] $AccountName,
    [Parameter(Mandatory=$true)][ValidateSet("Logon","LogOff","Lockout")] [String] $Event
)


$DCs = Get-ADDomainController -Filter {isreadonly -eq $false}|select name

$Then = [DateTime]::Now.AddMinutes(-1 * $Minutes)
[String]$Then = Get-Date $Then -Format "dd-MMM-yyyy hh:mm:ss"

$Events = @{}
$Events.Add("Logon",4624)
$Events.Add("LogOff",@(4634,4637))
$Events.Add("Lockout",4740)
$Ev = $Events[$Event]

ForEach ($DC in $DCs.name) {
    Write-Progress -Activity "Starting Job on $DC"
    $Block = @"
    try {
        "$DC"
        Get-WinEvent -ComputerName $DC  -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing";id=$($ev); StartTime="$then"} -ErrorAction SilentlyContinue | Where {`$_.message -match "$AccountName"}
    } catch {
        Write-Warning "PROBLEMS $DC"
        Write-Warning `$Error
    }
"@
    $sb = [ScriptBlock]::Create($Block)
    $Error.Clear()
    try {
        $hide = Start-Job -ScriptBlock $sb
        
    } catch {
        write-warning "FAIL $DC"
        
    }
}
$count = (Get-Job).Count
While ((Get-Job).Count -gt 0) {
    Write-Progress -Activity "Waiting for results..." -PercentComplete ((Get-Job).Count / $Count * 100)
    ForEach ($job in (Get-Job)) {
        if ($Job.State -eq "Completed") {
            $Job | Receive-Job | Select TimeCreated, Message | ft -wrap
            $Job | Remove-Job
        }
    }
    Start-Sleep -Seconds 5
}