07 January 2013

Use PowerShell to query multiple AD server for account lockout events

Here is a quick tip on how to query a named list of domain controller to find a lockout event for a particular users.  This is always a problem since often users have no idea from where the failed authentication attempts are coming that results in the lockout.

Invoke-Command -computername ADSERVER1,ADSERVER2 -command {Get-EventLog Security | where { $_.eventid -eq 4740 -and $_.message -like "*Username*"}} | format-list

This will return a result that looks like this, from here you can see the caller computer from there the account lockout happened.


Simply add additional servers as a comma separated list next to -computername parameter to query more server.

the Username can also contain wildcard character so you can specify "Joe*" or "*Bloggs"

The servers need to be configured for enable PSRemoting to remotely run the query.  On the AD Servers run Powershell as the administrator.

Enable-PSRemoting 

Yes or All top confirm the changes

No comments:

Post a Comment