Source of AD lockout via Powershell Script

Posted on 2012-09-17
Last Modified: 2012-11-25
need to get a source (machine or ip) for AD account lockout via PS script.

given samaccountname via the input file.... want to run query against the domain controller and pull the lockout info for user including the source/machine name
Question by:ARM2009

    Expert Comment


    LockoutStatus works great for this.  It works best if you can "catch it in the act"

    Author Comment

    already using this... i am looking more of a script to check on user account instead of going through logs.
    LVL 16

    Expert Comment

    by:Dale Harris
    When an account is locked out, it's not held on the AD Account where the source came from unfortunately.  Your best best is to use a powershell script to search for that specific event, and find the information where it specifies the machine it came from.  Let's do something similar for non-DC event logs on my computers, since I don't have access to a DC right now:

    $Logs = Get-WinEvent -FilterHashTable @{LogName='Security'; id=4648; StartTime=((get-date).adddays(-1))} -ErrorAction SilentlyContinue
    $Logs | %{$_.message >> "LogonLog.txt"}
    Select-string -path "LogonLog.txt" "Account Name:"

    Open in new window

    And then you can choose to export that as well, a very well defined list that shows you exactly which accounts have logged in.  This would be easily adapted by changing the 4648 to your specific lockout numbers, and then when you read the message, look for the specific text that shows which computer did the lock out.  You can also choose to find the computer and username associated (which account was locked out by which computer) by using that same methodology, by using a -context 6 which will show also the next 6 lines.  If the Computer name is only 3 lines away from where the account is specified, just use a 3 instead of 6.


    LVL 40

    Expert Comment

    You may try this PS script.. Script will prompt you to input the user name and DC name.

    $ErrorActionPreference = SilentlyContinue
    $UserName = Read-Host "Please enter user name"
    $DC = Read-Host "Please enter DC name"
    $Event = get-eventlog -computer $DC -log security -InstanceID “4740" | ? {$_.Message -match $UserName} | Sort-Object index -Descending | select -first 1
    If ($Event -ne $null){
    $User = $Event.ReplacementStrings[0]
    $Computer = $Event.ReplacementStrings[1]
    $Domain = $Event.ReplacementStrings[5]
    $Time = $Event.TimeGenerated
    Write-Host "$Domain\$user Locked from computer $Computer at $Time" -BackgroundColor Yellow -ForegroundColor Red
    Else {Write-Host "No Events found for "$UserName" in $DC" -BackgroundColor Yellow -ForegroundColor Red}

    Open in new window

    PS : In Windows Server 2003 DC the event ID for account lockout is 539 and In Windows Server 2008 R2, it is 4740.

    Author Comment

    would this script work using quest powershell?
    LVL 40

    Accepted Solution

    Yes it will work. The Script doesn't use Quest CMDLETs , so you can also run in from normal PowerShell console.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Hi all.   The other day I had to change the passwords for a bunch of users on the fly. Because they were so many, I decided to do it in an automated way and I would like to share it with you all.   If you are not doing it directly in a Domain Co…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now