Public/Get-DCLockoutEvents2.ps1
function Get-DCLockoutEvents2 { <# .SYNOPSIS -Taylor Lee Modified 05172019 .DESCRIPTION Parse Logs 4740 and 4776 on the PDCEmulator for workstations causing a lockout. Null lockout location events are filtered. Best if run shortly after a lockout. .EXAMPLE Get-DCLockoutEvents2 -identity Joe .Notes Requires The Active Directory Module .Link Get-LockedAccounts Get-PasswordExpired Unlock-Account Unlock-AllAccounts #> [CmdletBinding(SupportsShouldProcess)] Param( [Parameter(Mandatory = $True)] [String]$Identity ) #Getting the PDCEmulator $DomainControllers = Get-ADDomainController -Filter * $PDCEmulator = ($DomainControllers | Where-Object { $_.OperationMasterRoles -contains "PDCEmulator" }) #Parsing Event Log 4740 Write-Host "Querying event id 4740 on $PDCEmulator." -Backgroundcolor Black -ForegroundColor Yellow $PDCEmulator | ForEach-Object { Get-WinEvent -ComputerName $_ -FilterHashtable @{LogName = 'Security'; Id = 4740 } | Where-Object { ($_.Properties[1].Value -notlike $null -and $_.Properties[0].Value -eq $Identity) } | Select-Object -Property @( @{Label = 'User'; Expression = { $_.Properties[0].Value } } @{Label = 'LockedOutLocation'; Expression = { $_.Properties[1].Value } } @{Label = 'LockedOutTimeStamp'; Expression = { $_.TimeCreated } } @{Label = 'DomainController'; Expression = { $_.MachineName } } @{Label = 'EventId'; Expression = { $_.Id } } ) | Format-Table }#endforeach #Parsing Event Log 4776 Write-Host "Querying event id 4776 on $PDCEmulator; this will take awhile. Use ctrl+c to end at any time." -Backgroundcolor Black -ForegroundColor Yellow $PDCEmulator | ForEach-Object { Get-WinEvent -ComputerName $_ -FilterHashtable @{LogName = 'Security'; Id = 4776 } | Where-Object { ($_.Properties[2].Value -notlike $null -and $_.Properties[1].Value -eq $Identity -and $_.KeywordsDisplayNames -contains "Audit Failure") } | Select-Object -Property @( @{Label = 'User'; Expression = { $_.Properties[1].Value } } @{Label = 'BadPasswordLocation'; Expression = { $_.Properties[2].Value } } @{Label = 'BadPasswordAttemptTime'; Expression = { $_.TimeCreated } } @{Label = 'DomainController'; Expression = { $_.MachineName } } @{Label = 'EventID'; Expression = { $_.ID } } ) | Format-Table }#endforeach }#endfunction |