Welcome › Forums › General PowerShell Q&A › locked users and location of lockedout only for specific OU
- This topic has 6 replies, 3 voices, and was last updated 9 months ago by
Participant.
-
AuthorPosts
-
-
April 27, 2020 at 7:16 am #222774
HI,
somebody have a working script for this purpose?
i have a working script that searching for locked users in <u>specific OU</u>, exports this to csv and sending mail…
need to know the location where this users are locked…
something like this, but only for specific OU or only for users (samaccounts) from csv:
User LockoutTimeStamp LockoutSource
User 27/04/2020 9:07:42 OFK-NAS
thank you
-
April 27, 2020 at 7:49 am #222777
need to know the location where this users are locked…
You will need to query every sinlge DC’s eventlog for that information.
-
April 27, 2020 at 8:07 am #222783
need to know the location where this users are locked…
You will need to query every sinlge DC’s eventlog for that information.
even if only one dc have a pdcemulator?
and how i can do it?
10x
-
April 27, 2020 at 3:22 pm #222912
Have you searched? This is covered many many times…
-
April 27, 2020 at 6:06 pm #222984
Have you searched? This is covered many many times…
<iframe class=”wp-embedded-content” title=”“Use PowerShell to Find the Location of a Locked-Out User” — Scripting Blog” src=”https://devblogs.microsoft.com/scripting/use-powershell-to-find-the-location-of-a-locked-out-user/embed/#?secret=s4gDyQldcC” width=”600″ height=”325″ frameborder=”0″ marginwidth=”0″ marginheight=”0″ scrolling=”no” sandbox=”allow-scripts” data-secret=”s4gDyQldcC” data-mce-fragment=”1″></iframe>
been in this page a lot of times … believe me i am searched…
i cant see in this page working example for specific OU, not all domain
-
April 27, 2020 at 7:01 pm #222993
Finding a script that fits exactly what you want is more luck than probable. Get-ADUser has a parameter to limit the scope to an OU, you just need to update the command to return what you want:
-SearchBase
Specifies an Active Directory path to search under.When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive.
When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain.
When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value.
When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown.
-
April 30, 2020 at 6:11 am #224016
Ok, can you help me with this code? what i do wrong …? its works , but with 2 problems
1. its not realy checks only users from one OU, a see all the locked users from domain
2. export command exporting to csv only one user, in ps terminal i see a lot of users, but in mail and in csv exported file only one
$UserInfo = Search-ADAccount -LockedOut -SearchBase “OU=Users,OU=HERUM,DC=Domain,DC=GOV” -SearchScope Subtree
$LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName=’Security’;Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
#Parse and filter out lockout events
Foreach($Event in $LockedOutEvents)
{
If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
{$Event | Select-Object -Property @(
@{Label = ‘User’; Expression = {$_.Properties[0].Value}}
# @{Label = ‘DomainController’; Expression = {$_.MachineName}}
# @{Label = ‘EventId’; Expression = {$_.Id}}
@{Label = ‘LockTime’; Expression = {$_.TimeCreated}}
@{Label = ‘Message’; Expression = {$_.Message -split “r” | Select -First 1}}
@{Label = ‘LockLocation’; Expression = {$_.Properties[1].Value}}
)| export-csv -path C:\pslocked\locked.csv}}
if((Get-Content “C:\pslocked\locked.csv”) | %{$_ -match $UserInfo})
{
$Header = @”
<style>
TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}
TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #6495ED;}
TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black;}
</style>
“@$user = (Import-Csv C:\pslocked\locked.csv | ConvertTo-Html -Property User, Message, LockLocation, LockTime -Head $Header)
$mailBody =
@”
<center><b>
$user
$LockoutTimeStamp
$LockoutSource
</b></center>
“@
Send-MailMessage -Body $mailBody -BodyAsHtml
-From ‘Admin <[email protected]>’ -To ‘admin1 <[email protected]>’, ‘admin2<[email protected]>’ -Subject “locked users” -Encoding $([System.Text.Encoding]::UTF8) -Priority High -DeliveryNotificationOption OnSuccess, OnFailure -SmtpServer mailserver.com}
else{
scriptbock
}
-
-
AuthorPosts
- The topic ‘locked users and location of lockedout only for specific OU’ is closed to new replies.