locked users and location of lockedout only for specific OU

Welcome Forums General PowerShell Q&A locked users and location of lockedout only for specific OU

Viewing 6 reply threads
  • Author
    Posts
    • #222774
      Participant
      Topics: 1
      Replies: 3
      Points: 3
      Rank: Member

      HI,

      somebody have a working script for this purpose?

      i have a working script that searching for locked users in <u>specific OU</u>, exports this to csv and sending mail…

      need to know the location where this users are locked…

      something like this, but only for specific OU or only for users (samaccounts) from csv:

      User LockoutTimeStamp LockoutSource

      User 27/04/2020 9:07:42 OFK-NAS

      thank you

    • #222777
      Participant
      Topics: 4
      Replies: 2249
      Points: 5,494
      Helping Hand
      Rank: Community MVP

      need to know the location where this users are locked…

      You will need to query every sinlge DC’s eventlog for that information.

    • #222783
      Participant
      Topics: 1
      Replies: 3
      Points: 3
      Rank: Member

      need to know the location where this users are locked…

      You will need to query every sinlge DC’s eventlog for that information.

      even if only one dc have a pdcemulator?

      and how i can do it?

      10x

    • #222912
      Participant
      Topics: 12
      Replies: 1623
      Points: 2,565
      Helping Hand
      Rank: Community Hero

      Have you searched? This is covered many many times…

      Use PowerShell to Find the Location of a Locked-Out User

    • #222984
      Participant
      Topics: 1
      Replies: 3
      Points: 3
      Rank: Member

      Have you searched? This is covered many many times…

      Use PowerShell to Find the Location of a Locked-Out User

      <iframe class=”wp-embedded-content” title=”“Use PowerShell to Find the Location of a Locked-Out User” — Scripting Blog” src=”https://devblogs.microsoft.com/scripting/use-powershell-to-find-the-location-of-a-locked-out-user/embed/#?secret=s4gDyQldcC&#8221; width=”600″ height=”325″ frameborder=”0″ marginwidth=”0″ marginheight=”0″ scrolling=”no” sandbox=”allow-scripts” data-secret=”s4gDyQldcC” data-mce-fragment=”1″></iframe>

      been in this page a lot of times … believe me i am searched…

      i cant see in this page working example for specific OU, not all domain

       

    • #222993
      Participant
      Topics: 12
      Replies: 1623
      Points: 2,565
      Helping Hand
      Rank: Community Hero

      Finding a script that fits exactly what you want is more luck than probable. Get-ADUser has a parameter to limit the scope to an OU, you just need to update the command to return what you want:

      -SearchBase
      Specifies an Active Directory path to search under.

      When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive.

      When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain.

      When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value.

      When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown.

    • #224016
      Participant
      Topics: 1
      Replies: 3
      Points: 3
      Rank: Member

      Ok, can you help me with this code? what i do wrong …?  its works , but with 2 problems

      1.  its not realy checks only users from one OU, a see all the locked users from domain

      2. export command exporting to csv only one user, in ps terminal i see a lot of users, but in mail and in csv exported file only one

      $UserInfo = Search-ADAccount -LockedOut -SearchBase “OU=Users,OU=HERUM,DC=Domain,DC=GOV” -SearchScope Subtree
      $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName=’Security’;Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
      #Parse and filter out lockout events
      Foreach($Event in $LockedOutEvents)
      {
      If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
      {

      $Event | Select-Object -Property @(
      @{Label = ‘User’; Expression = {$_.Properties[0].Value}}
      # @{Label = ‘DomainController’; Expression = {$_.MachineName}}
      # @{Label = ‘EventId’; Expression = {$_.Id}}
      @{Label = ‘LockTime’; Expression = {$_.TimeCreated}}
      @{Label = ‘Message’; Expression = {$_.Message -split “`r” | Select -First 1}}
      @{Label = ‘LockLocation’; Expression = {$_.Properties[1].Value}}
      )| export-csv -path C:\pslocked\locked.csv

      }}

      if((Get-Content “C:\pslocked\locked.csv”) | %{$_ -match $UserInfo})

      {
      $Header = @”
      <style>
      TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}
      TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #6495ED;}
      TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black;}
      </style>
      “@

      $user = (Import-Csv C:\pslocked\locked.csv | ConvertTo-Html -Property User, Message, LockLocation, LockTime -Head $Header)
      $mailBody =
      @”
      <center><b>
      $user
      $LockoutTimeStamp
      $LockoutSource
      </b></center>
      “@
      Send-MailMessage -Body $mailBody -BodyAsHtml `
      -From ‘Admin <admin@asdasd.com>’ -To ‘admin1 <mail1@asdasd.coml>’, ‘admin2<mail2@gfdg.com>’ -Subject “locked users” -Encoding $([System.Text.Encoding]::UTF8) -Priority High -DeliveryNotificationOption OnSuccess, OnFailure -SmtpServer mailserver.com

      }

      else{
      scriptbock
      }

      • This reply was modified 1 month ago by Sta_Pol41.
      • This reply was modified 1 month ago by Sta_Pol41.
      • This reply was modified 1 month ago by Sta_Pol41.
      • This reply was modified 1 month ago by Sta_Pol41.
Viewing 6 reply threads
  • You must be logged in to reply to this topic.