PowerShell: Find Account Lockouts and which computer is locking the account?

--Anand-- Computers and Internet January 19, 2019January 19, 2019 1 Minute

How many time have you researched where the account lockouts are happening? which computer is locking the AD account? It could be

disconnected remote desktop session
scheduled task
Application on a server
Service running with AD account context
Wireless profile with PEAP setup on Phones and devices

So I wrote this PowerShell script to query the Security events from domain controller, and list the callercomputer of where the lockouts are happening.

This following script takes two parameters. Username and domain controller name.

Note: You need run this script as Domain Administrator or at least with server operations privilege.

e.g.,
Search-Lockout-Events.ps1 -username JohnDoe -DomainControllerName HQ-IT-DC01.company.com

Here is the script, either download is from HERE or copy/paste from below:

<#
    Script: Search-Lockout-Events.ps1
    Parameters:
    UserName : SAMAccountName of the user
    DomainControllerName: domain Controller name (FQDN is better)

    Purpose: Search given domain controller for "bad password attempts" and
    "Account lock out" events from the Security Event Logs and list the 
    CallerComputer of where the account lockouts are coming from. 

    Written By: Anand, the Awesome, Venkatachalapathy
#>
param($Username,$DomainControllerName)

#Filenme to store the lockout events
$ReportFile = ".\$Username-Lockedout-Events.txt"

#Query the domain controller event log for lockout events
$LockoutEvents = Get-WinEvent @{logname='Security';starttime=[DateTime]::Today;id=644,4740,4625} `
    -ComputerName $DomainControllerName | ?{$_.Message -like "*$username*" } 

#Display the Date and caller computer from the event logs
"Date/time`t`tCallerComputer"
foreach($LockoutEvent in $LockoutEvents)
{
    $message = ($LockoutEvent.Message).Split("`n`r")
    $TimeCreated = [String] $LockoutEvent.TimeCreated

    #Find the Caller Computer from the event log message
    foreach($line in $message) 
    { 
        if($line -like '*Caller Computer Name:*')
        { $CallerComputer = $line  ; $CallerComputer = $CallerComputer.Replace("Caller Computer Name: ","")} 
    }

    $TimeCreated + "`t`t" + $CallerComputer

    #Store the event log details to the file
    $LockoutEvent | Format-List |  Out-File -FilePath $ReportFile -Append
    
}
#  * * * End of the Script * * *

Published by --Anand--

Being in Silicon Valley for years, I became a IT Infrastructure Geek by experience and surrounded by other Geeks everywhere. I try to help others by the solutions I found on odd occasions. View all posts by --Anand--

Published January 19, 2019January 19, 2019

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s

%d bloggers like this: