Who locked me out?

#powershell

So following on from my last post, once and AD account is locked out, who or what the hell done it!

Typically you start with the account lockout tool (http://www.microsoft.com/download/en/details.aspx?id=15201) which will tell you when and what DC locked the account.

Next thing to do is to check the Security Event log out on the DC that locked you out to see who or what locked you out.

I have been playing cat and mouse with this over the last few days, and knocked this little baby up

#Script Start

PARAM([String]$DC="", [String]$Time = "")
$xtime  = get-date $time
$xstart = $xtime.AddSeconds(-1)
$xEnd   = $xtime.AddSeconds(1)
Write-Host "DC:…. " $DC
Write-Host "Start:. " $xstart
Write-Host "End:… " $xend
Get-WinEvent -ComputerName $DC -FilterHashtable @{logname="Security"; id=4740; StartTime=$xstart; EndTime=$xEnd} | fl TimeCreated, Message

#Script End

Save the above as “get-lockout.ps1”,  I found get-winevent a shed load quicker than get-event

Usage:

.get-lockout.ps1  -DC <DC> -Time "12/09/2011 09:33:00"

enjoy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: