Source of AD lockout via Powershell Script

Posted on 2012-09-17
Medium Priority
Last Modified: 2012-11-25
need to get a source (machine or ip) for AD account lockout via PS script.

given samaccountname via the input file.... want to run query against the domain controller and pull the lockout info for user including the source/machine name
Question by:ARM2009

Expert Comment

ID: 38407425

LockoutStatus works great for this.  It works best if you can "catch it in the act"

Author Comment

ID: 38407439
already using this... i am looking more of a script to check on user account instead of going through logs.
LVL 16

Expert Comment

by:Dale Harris
ID: 38436183
When an account is locked out, it's not held on the AD Account where the source came from unfortunately.  Your best best is to use a powershell script to search for that specific event, and find the information where it specifies the machine it came from.  Let's do something similar for non-DC event logs on my computers, since I don't have access to a DC right now:

$Logs = Get-WinEvent -FilterHashTable @{LogName='Security'; id=4648; StartTime=((get-date).adddays(-1))} -ErrorAction SilentlyContinue
$Logs | %{$_.message >> "LogonLog.txt"}
Select-string -path "LogonLog.txt" "Account Name:"

Open in new window

And then you can choose to export that as well, a very well defined list that shows you exactly which accounts have logged in.  This would be easily adapted by changing the 4648 to your specific lockout numbers, and then when you read the message, look for the specific text that shows which computer did the lock out.  You can also choose to find the computer and username associated (which account was locked out by which computer) by using that same methodology, by using a -context 6 which will show also the next 6 lines.  If the Computer name is only 3 lines away from where the account is specified, just use a 3 instead of 6.


What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

LVL 40

Expert Comment

ID: 38470807
You may try this PS script.. Script will prompt you to input the user name and DC name.

$ErrorActionPreference = SilentlyContinue
$UserName = Read-Host "Please enter user name"
$DC = Read-Host "Please enter DC name"
$Event = get-eventlog -computer $DC -log security -InstanceID “4740" | ? {$_.Message -match $UserName} | Sort-Object index -Descending | select -first 1
If ($Event -ne $null){
$User = $Event.ReplacementStrings[0]
$Computer = $Event.ReplacementStrings[1]
$Domain = $Event.ReplacementStrings[5]
$Time = $Event.TimeGenerated
Write-Host "$Domain\$user Locked from computer $Computer at $Time" -BackgroundColor Yellow -ForegroundColor Red
Else {Write-Host "No Events found for "$UserName" in $DC" -BackgroundColor Yellow -ForegroundColor Red}

Open in new window

PS : In Windows Server 2003 DC the event ID for account lockout is 539 and In Windows Server 2008 R2, it is 4740.

Author Comment

ID: 38584167
would this script work using quest powershell?
LVL 40

Accepted Solution

Subsun earned 1500 total points
ID: 38584230
Yes it will work. The Script doesn't use Quest CMDLETs , so you can also run in from normal PowerShell console.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Screencast - Getting to Know the Pipeline

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question