05 April 2011

Scripts to see where your account is getting locked out from

In a previous article I covered the basics of account lockout.

Essentially this is a way to automate or at least reduce the effort it takes to go through the logs looking for event ID 664 on 2003 or 4740 on 2008.  Text in RED should be replaced by the relevant info.

Windows 2003 VB Script
Using the script below you can extract the security event log and only show the events that you are interested in.

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\ADSERVERNAME\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security'and EventCode = '644' and Message like '%USERNAME%'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Message: " & objEvent.Message & VBNewLine

Windows 2008 PowerShell
In power-shell we don't have to run vb-script we can call the objects we want directly

get-eventlog -Computername ADSERVERNAME "Security" -InstanceID "4740" -Message *"USERNAME"* | format
list Timegenerated, Message 

You can also output the result to a file by adding

get-eventlog -Computername ADSERVERNAME "Security" -InstanceID "4740" -Message *"USERNAME"* | format
list Timegenerated, Message | tee-object -filepath output.txt

In both cases you should get and output the looks similar to

By running the scripts you can save yourself the effort of trawling through logs on multiple servers.

Since it is already very filtered by the time you get the results it should be pretty much just what you are looking for.

These scripts can of course be built onto to make them more user friendly for support staff etc.  but this should give you the just of it.


Anonymous said...

i'm getting "Invalid parameter - Timegenerated"

Anonymous said...

'format list' should be 'format-list'.

Post a Comment