Who locked me out?


So following on from my last post, once and AD account is locked out, who or what the hell done it!

Typically you start with the account lockout tool (http://www.microsoft.com/download/en/details.aspx?id=15201) which will tell you when and what DC locked the account.

Next thing to do is to check the Security Event log out on the DC that locked you out to see who or what locked you out.

I have been playing cat and mouse with this over the last few days, and knocked this little baby up

#Script Start

PARAM([String]$DC="", [String]$Time = "")
$xtime  = get-date $time
$xstart = $xtime.AddSeconds(-1)
$xEnd   = $xtime.AddSeconds(1)
Write-Host "DC:…. " $DC
Write-Host "Start:. " $xstart
Write-Host "End:… " $xend
Get-WinEvent -ComputerName $DC -FilterHashtable @{logname="Security"; id=4740; StartTime=$xstart; EndTime=$xEnd} | fl TimeCreated, Message

#Script End

Save the above as “get-lockout.ps1”,  I found get-winevent a shed load quicker than get-event


.get-lockout.ps1  -DC <DC> -Time "12/09/2011 09:33:00"


AD Account Lockout


So whose great idea was it to force a password change on service accounts every 60 days? Bunch of donkeys!?!

Anyway, so if you AD account gets locked out, check this out.  On tried with Windows 2008R2

import-module activedirectory

Unlock-ADAccount <account> –Server <DC>

NB the DC needs to have the “Active Directory Web Service” started