Public/Get-ADLockoutSource.ps1
|
<#
.SYNOPSIS Retrieves the source of the most recent Active Directory account lockout for a specified user. .DESCRIPTION The Get-ADLockoutSource function fetches the most recent lockout event for a specified user from the domain controller's security logs. It provides details such as the time of the lockout, the machine that triggered the lockout, the event ID, and the associated message. .PARAMETER Username The username of the AD account for which you want to check the lockout source. .EXAMPLE Get-ADLockoutSource -Username "jdoe" This will retrieve the most recent lockout event for the user "jdoe". .NOTES File Name : Get-ADLockoutSource.ps1 Author : Everett Williams Prerequisite : PowerShell V2, Active Directory module Copyright 2023 : Forthencho Group #> function Get-ADLockoutSource { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$Username ) # Load the required Active Directory module Import-Module ActiveDirectory # Fetch the lockout event from the domain controller's security logs $lockoutEvent = Get-EventLog -LogName Security -InstanceID 4740 -Newest 1 | Where-Object { $_.Message -like "*$Username*" } if ($lockoutEvent) { Write-Host "Lockout event found for user $Username" Write-Host "--------------------------------------" Write-Host "Locked Out On: $($lockoutEvent.TimeGenerated)" Write-Host "Locked Out By: $($lockoutEvent.MachineName)" Write-Host "Event ID: $($lockoutEvent.EventID)" Write-Host "Message: $($lockoutEvent.Message)" } else { Write-Host "No recent lockout event found for user $Username" } } |