Download and install https://www.microsoft.com/en-us/download/details.aspx?id=18465
You will need to enable NetLogon Logs
<#
.SYNOPSIS
Displays list of accounts that have been locked out in AD since the last time each DC’s Event Log has rolled over.
.DESCRIPTION
By default, this script displays list of accounts that have been locked out on the current domain since the last time the Event Log rolled over. Results can be filtered by using parameters.
.PARAMETER forest
Queries all DCs in the current forest
.PARAMETER Domain
Queries only DCs within the specified domain. If no domain is listed, it will default to the current domain.
.PARAMETER DCs
Queries only specified DCs
.PARAMETER Start
Filter by start time in ’MM/dd/yyyy HH:mm:ss’ format.
.PARAMETER End
Filter by end time in ’MM/dd/yyyy HH:mm:ss’ format.
.NOTES
Author : Chrissy LeMaire
Requires: PowerShell Version 3.0
DateUpdated: 2015-Feb-5
Version: 1.1
.LINK
.EXAMPLE
.\Get-LockoutHistory.ps1
Gets all locked out accounts in the current domain.
.EXAMPLE
.\Get-LockoutHistory.ps1 -forest
Gets all locked out accounts in the current forest
.EXAMPLE
.\Get-LockoutHistory.ps1 -domain ad.local -start ’1/28/2015’ -end ’1/29/2015’
Gets all locked out accounts in the ad.local domain, starting at 01/28/2015 00:00:00 and ending at 01/29/2015 00:00:00
#>
#Requires -Version 3.0
[CmdletBinding(DefaultParameterSetName="Default")]
Param(
[switch]$forest,
[string]$domain,
[string[]]$dcs,
[datetime]$start,
[datetime]$end
)
if ($domain.length -ne 0) { $domain = $domain.toLower() }
if (($forest -eq $true -or $domain -ne $null) -and $dcs.length -eq 0) {
$currentforest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$currentdomains = $currentforest.Domains
if ($domain.length -ne 0) {
$singledomain = ($currentdomains | Where-Object { $_.Name -eq $domain })
if ($singledomain -eq $null) { throw "$domain could not be found in the forest." }
$dcs = $singledomain.DomainControllers.name
} else { $dcs = $domains.DomainControllers.name }
}
if ($dcs -eq $null) {
$currentdomain = [directoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$dcs = $currentdomain.FindAllDomainControllers()
}
$filter = @{LogName=’Security’;Id=4740;}
if ($start -ne $null) {
$start = (Get-Date $start -Format ’MM/dd/yyyy HH:mm:ss’)
$filter += @{StartTime=$start;}
Write-Host "Filter Start: $start" -ForegroundColor Yellow
}
if ($end -ne $null) {
$end = (Get-Date $end -Format ’MM/dd/yyyy HH:mm:ss’)
$filter += @{EndTime=$end;}
Write-Host "Filter End: $end" -ForegroundColor Yellow
}
$allevents = $null; $lockedout = @()
foreach ($dc in $dcs) {
Write-Host "Contacting $dc" -ForegroundColor Green
try {
$allevents = (Get-WinEvent -ComputerName $dc -FilterHashtable $filter -ErrorAction Stop).ToXml()
$allevents = "<root>$allevents</root>"
foreach ($event in ([xml]$allevents).root.Event) {
$user = ($event.EventData.data | Where-Object { $_.Name -eq "TargetUserName" }).’#text’
$from = ($event.EventData.data | Where-Object { $_.Name -eq "TargetDomainName" }).’#text’
$dc = (($event.EventData.data | Where-Object { $_.Name -eq "SubjectUserName" }).’#text’).TrimEnd("$")
$domain = ($event.EventData.data | Where-Object { $_.Name -eq "SubjectDomainName" }).’#text’
$entrytime = [datetime]$event.System.TimeCreated.SystemTime
$status = (Get-ADUser -Identity $user -Server $DC -Properties LockedOut).LockedOut
$lockedout += [pscustomobject]@{User=$user; From=$from; DC=$dc; Domain=$domain; Timestamp=$entrytime; "Currently Locked Out"=$status}
}
}
catch {
$msg = $_.Exception.Message
if (!$msg.StartsWith("No events were found")) {
Write-Warning "$dc was unreachable or otherwise unparsable."
Write-Warning "Ensure your account has Read access to the DC’s Security log and the appropriate firewall ports are open."
}
}
}
if ($lockedout.count -eq 0) {
Write-Host "No locked out events could be found."
} else {
$lockedout | Out-Gridview
}
Loading...