#powershell
So following on from my last post, once and AD account is locked out, who or what the hell done it!
Typically you start with the account lockout tool (http://www.microsoft.com/download/en/details.aspx?id=15201) which will tell you when and what DC locked the account.
Next thing to do is to check the Security Event log out on the DC that locked you out to see who or what locked you out.
I have been playing cat and mouse with this over the last few days, and knocked this little baby up
#Script Start
PARAM([String]$DC="", [String]$Time = "")
$xtime = get-date $time
$xstart = $xtime.AddSeconds(-1)
$xEnd = $xtime.AddSeconds(1)
Write-Host "DC:…. " $DC
Write-Host "Start:. " $xstart
Write-Host "End:… " $xend
Get-WinEvent -ComputerName $DC -FilterHashtable @{logname="Security"; id=4740; StartTime=$xstart; EndTime=$xEnd} | fl TimeCreated, Message
#Script End
Save the above as “get-lockout.ps1”, I found get-winevent a shed load quicker than get-event
Usage:
.get-lockout.ps1 -DC <DC> -Time "12/09/2011 09:33:00"
enjoy
flaphead.com 