AD Account Lockout Script

	Displays list of accounts that have been locked out in AD since the last time each DC's Event Log has rolled over.

	By default, this script displays list of accounts that have been locked out on the current domain since the last time the Event Log rolled over. Results can be filtered by using parameters.

	.PARAMETER forest
	Queries all DCs in the current forest

	Queries only DCs within the specified domain. If no domain is listed, it will default to the current domain.
	Queries only specified DCs
	Filter by start time in 'MM/dd/yyyy HH:mm:ss' format.
	Filter by end time in 'MM/dd/yyyy HH:mm:ss' format.
	Author  : Chrissy LeMaire 
	Requires:     PowerShell Version 3.0
	DateUpdated: 2015-Feb-5
	Version: 1.1
	Gets all locked out accounts in the current domain.
	.\Get-LockoutHistory.ps1 -forest
	Gets all locked out accounts in the current forest
	.\Get-LockoutHistory.ps1 -domain ad.local -start '1/28/2015' -end '1/29/2015'
	Gets all locked out accounts in the ad.local domain, starting at 01/28/2015 00:00:00 and ending at 01/29/2015 00:00:00
#Requires -Version 3.0


if ($domain.length -ne 0) { $domain = $domain.toLower() }

if (($forest -eq $true -or $domain -ne $null) -and $dcs.length -eq 0) {
	$currentforest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
	$currentdomains = $currentforest.Domains
	if ($domain.length -ne 0) {
		$singledomain = ($currentdomains | Where-Object { $_.Name -eq $domain })
		if ($singledomain -eq $null) { throw "$domain could not be found in the forest." }
		$dcs = $ 
	} else { $dcs = $ }

if ($dcs -eq $null) {
	$currentdomain = [directoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
	$dcs = $currentdomain.FindAllDomainControllers()

$filter = @{LogName='Security';Id=4740;}

if ($start -ne $null) {
	$start = (Get-Date $start -Format 'MM/dd/yyyy HH:mm:ss')
	$filter += @{StartTime=$start;}
	Write-Host "Filter Start: $start" -ForegroundColor Yellow

if ($end -ne $null) {
	$end = (Get-Date $end -Format 'MM/dd/yyyy HH:mm:ss')
	$filter += @{EndTime=$end;}
	Write-Host "Filter End: $end" -ForegroundColor Yellow

$allevents = $null; $lockedout = @()

foreach ($dc in $dcs) {
Write-Host "Contacting $dc" -ForegroundColor Green
	try {
		$allevents = (Get-WinEvent -ComputerName $dc -FilterHashtable $filter   -ErrorAction Stop).ToXml()
		$allevents = "<root>$allevents</root>"

		foreach ($event in ([xml]$allevents).root.Event) {
			$user = ($ |  Where-Object { $_.Name -eq "TargetUserName" }).'#text'
			$from = ($ | Where-Object { $_.Name -eq "TargetDomainName" }).'#text'
			$dc = (($ | Where-Object { $_.Name -eq "SubjectUserName" }).'#text').TrimEnd("$")
			$domain = ($ | Where-Object { $_.Name -eq "SubjectDomainName" }).'#text'
			$entrytime = [datetime]$event.System.TimeCreated.SystemTime
			$status = (Get-ADUser -Identity $user  -Server $DC -Properties LockedOut).LockedOut
			$lockedout += [pscustomobject]@{User=$user; From=$from; DC=$dc; Domain=$domain; Timestamp=$entrytime; "Currently Locked Out"=$status}
	catch {
		$msg = $_.Exception.Message
		if (!$msg.StartsWith("No events were found")) {
			Write-Warning "$dc was unreachable or otherwise unparsable."
			Write-Warning "Ensure your account has Read access to the DC's Security log and the appropriate firewall ports are open."

if ($lockedout.count -eq 0) {
	Write-Host "No locked out events could be found."
} else {
	$lockedout | Out-Gridview
GD Star Rating
GD Star Rating

Trackback from your site.