{"id":5040,"date":"2021-03-18T23:23:41","date_gmt":"2021-03-18T23:23:41","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=5040"},"modified":"2024-10-09T05:43:36","modified_gmt":"2024-10-09T05:43:36","slug":"ad-account-lockout-script","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/ad-account-lockout-script","title":{"rendered":"AD Account Lockout Script"},"content":{"rendered":"\n<p>Download and install <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=18465\">https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=18465<\/a><\/p>\n\n\n\n<p>You will need to enable NetLogon Logs<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">&lt;#  \n\t.SYNOPSIS  \n\tDisplays list of accounts that have been locked out in AD since the last time each DC\u2019s Event Log has rolled over.\n\n\t.DESCRIPTION\n\tBy default, this script displays list of accounts that have been locked out on the current domain since the last time the Event Log rolled over. Results can be filtered by using parameters.\n\n\t.PARAMETER forest\n\tQueries all DCs in the current forest\n\n\t.PARAMETER Domain\n\tQueries only DCs within the specified domain. If no domain is listed, it will default to the current domain.\n\t\n\t.PARAMETER DCs\n\tQueries only specified DCs\n\t\n\t.PARAMETER Start\n\tFilter by start time in \u2019MM\/dd\/yyyy HH:mm:ss\u2019 format.\n\t\n\t.PARAMETER End\n\tFilter by end time in \u2019MM\/dd\/yyyy HH:mm:ss\u2019 format.\n\t\n\t.NOTES  \n\tAuthor  : Chrissy LeMaire \n\tRequires:     PowerShell Version 3.0\n\tDateUpdated: 2015-Feb-5\n\tVersion: 1.1\n\t \n\t.LINK\n\t\n\t \n\t.EXAMPLE\n\t.\\Get-LockoutHistory.ps1\n\tGets all locked out accounts in the current domain.\n\t\n\t.EXAMPLE\n\t.\\Get-LockoutHistory.ps1 -forest\n\tGets all locked out accounts in the current forest\n\t\n\t.EXAMPLE\n\t.\\Get-LockoutHistory.ps1 -domain ad.local -start \u20191\/28\/2015\u2019 -end \u20191\/29\/2015\u2019\n\tGets all locked out accounts in the ad.local domain, starting at 01\/28\/2015 00:00:00 and ending at 01\/29\/2015 00:00:00\n#> \n#Requires -Version 3.0\n[CmdletBinding(DefaultParameterSetName=\"Default\")]\n\nParam(\n\t[switch]$forest,\n\t[string]$domain,\n\t[string[]]$dcs,\n\t[datetime]$start,\n\t[datetime]$end\n\t)\n\nif ($domain.length -ne 0) { $domain = $domain.toLower() }\n\nif (($forest -eq $true -or $domain -ne $null) -and $dcs.length -eq 0) {\n\t$currentforest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()\n\t$currentdomains = $currentforest.Domains\n\t\n\tif ($domain.length -ne 0) {\n\t\t$singledomain = ($currentdomains | Where-Object { $_.Name -eq $domain })\n\t\tif ($singledomain -eq $null) { throw \"$domain could not be found in the forest.\" }\n\t\t$dcs = $singledomain.DomainControllers.name \n\t} else { $dcs = $domains.DomainControllers.name }\n} \n\nif ($dcs -eq $null) {\n\t$currentdomain = [directoryServices.ActiveDirectory.Domain]::GetCurrentDomain()\n\t$dcs = $currentdomain.FindAllDomainControllers()\n}\n\n$filter = @{LogName=\u2019Security\u2019;Id=4740;}\n\nif ($start -ne $null) {\n\t$start = (Get-Date $start -Format \u2019MM\/dd\/yyyy HH:mm:ss\u2019)\n\t$filter += @{StartTime=$start;}\n\tWrite-Host \"Filter Start: $start\" -ForegroundColor Yellow\n}\n\nif ($end -ne $null) {\n\t$end = (Get-Date $end -Format \u2019MM\/dd\/yyyy HH:mm:ss\u2019)\n\t$filter += @{EndTime=$end;}\n\tWrite-Host \"Filter End: $end\" -ForegroundColor Yellow\n}\n\n$allevents = $null; $lockedout = @()\n\nforeach ($dc in $dcs) {\nWrite-Host \"Contacting $dc\" -ForegroundColor Green\n\ttry {\n\t\t$allevents = (Get-WinEvent -ComputerName $dc -FilterHashtable $filter   -ErrorAction Stop).ToXml()\n\t\t$allevents = \"&lt;root>$allevents&lt;\/root>\"\n\n\t\tforeach ($event in ([xml]$allevents).root.Event) {\n\t\t\t$user = ($event.EventData.data |  Where-Object { $_.Name -eq \"TargetUserName\" }).\u2019#text\u2019\n\t\t\t$from = ($event.EventData.data | Where-Object { $_.Name -eq \"TargetDomainName\" }).\u2019#text\u2019\n\t\t\t$dc = (($event.EventData.data | Where-Object { $_.Name -eq \"SubjectUserName\" }).\u2019#text\u2019).TrimEnd(\"$\")\n\t\t\t$domain = ($event.EventData.data | Where-Object { $_.Name -eq \"SubjectDomainName\" }).\u2019#text\u2019\n\t\t\t$entrytime = [datetime]$event.System.TimeCreated.SystemTime\n\t\t\t$status = (Get-ADUser -Identity $user  -Server $DC -Properties LockedOut).LockedOut\n\t\t\n\t\t\t$lockedout += [pscustomobject]@{User=$user; From=$from; DC=$dc; Domain=$domain; Timestamp=$entrytime; \"Currently Locked Out\"=$status}\n\t\t}\n\t}\n\tcatch {\n\t\t$msg = $_.Exception.Message\n\t\tif (!$msg.StartsWith(\"No events were found\")) {\n\t\t\tWrite-Warning \"$dc was unreachable or otherwise unparsable.\"\n\t\t\tWrite-Warning \"Ensure your account has Read access to the DC\u2019s Security log and the appropriate firewall ports are open.\"\n\t\t}\n\t}\n}\n\nif ($lockedout.count -eq 0) {\n\tWrite-Host \"No locked out events could be found.\"\n} else {\n\t$lockedout | Out-Gridview\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Download and install https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=18465 You will need to enable NetLogon Logs<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5040","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/5040","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=5040"}],"version-history":[{"count":5,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/5040\/revisions"}],"predecessor-version":[{"id":8362,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/5040\/revisions\/8362"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=5040"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=5040"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=5040"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}