Investigating account lockouts with Powershell

From MyWiki
Revision as of 10:24, 27 April 2016 by George2 (Talk | contribs)

Jump to: navigation, search

Reference - http://www.tomsitpro.com/articles/powershell-active-directory-lockouts,2-848.html

  1. Find the domain controller that holds the PDC emulator role - (get-addomain).PDCEmulator
  2. Using this information run the following Powershell query 
## Define the username that’s locked out
$Username = ‘abertram’
 
## Find the domain controller PDCe role
$Pdce = (Get-AdDomain).PDCEmulator
 
## Build the parameters to pass to Get-WinEvent
$GweParams = @{
     ‘Computername’ = $Pdce
     ‘LogName’ = ‘Security’
     ‘FilterXPath’ = "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$Username']]"
}
 
## Query the security event log
$Events = Get-WinEvent @GweParams
Retrieved from "https://wiki.twig.es/index.php?title=Investigating_account_lockouts_with_Powershell&oldid=3214"