07 January 2013

Use PowerShell to query multiple AD server for account lockout events

Here is a quick tip on how to query a named list of domain controller to find a lockout event for a particular users.  This is always a problem since often users have no idea from where the failed authentication attempts are coming that results in the lockout.

Invoke-Command -computername ADSERVER1,ADSERVER2 -command {Get-EventLog Security | where { $_.eventid -eq 4740 -and $_.message -like "*Username*"}} | format-list

This will return a result that looks like this, from here you can see the caller computer from there the account lockout happened.

Simply add additional servers as a comma separated list next to -computername parameter to query more server.

the Username can also contain wildcard character so you can specify "Joe*" or "*Bloggs"

The servers need to be configured for enable PSRemoting to remotely run the query.  On the AD Servers run Powershell as the administrator.


Yes or All top confirm the changes

No comments:

Post a Comment