Who locked me out?

#powershell

So following on from my last post, once and AD account is locked out, who or what the hell done it!

Typically you start with the account lockout tool (http://www.microsoft.com/download/en/details.aspx?id=15201) which will tell you when and what DC locked the account.

Next thing to do is to check the Security Event log out on the DC that locked you out to see who or what locked you out.

I have been playing cat and mouse with this over the last few days, and knocked this little baby up

#Script Start

PARAM([String]$DC="", [String]$Time = "")
$xtime  = get-date $time
$xstart = $xtime.AddSeconds(-1)
$xEnd   = $xtime.AddSeconds(1)
Write-Host "DC:…. " $DC
Write-Host "Start:. " $xstart
Write-Host "End:… " $xend
Get-WinEvent -ComputerName $DC -FilterHashtable @{logname="Security"; id=4740; StartTime=$xstart; EndTime=$xEnd} | fl TimeCreated, Message

#Script End

Save the above as “get-lockout.ps1”,  I found get-winevent a shed load quicker than get-event

Usage:

.get-lockout.ps1  -DC <DC> -Time "12/09/2011 09:33:00"

enjoy

Leave a Reply

%d bloggers like this: