Trying to Get the lockout source IP using sec event log. please advise

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of edwin arlington edwin arlington 1 week, 3 days ago.

  • Author
    Posts
  • #75041
    Profile photo of Del
    Del
    Participant

    Here's the script that I am using to to get the source of the lockout.

    Function Get-LockedOutLocation
    {
    
        [CmdletBinding()]
    
        Param(
          [Parameter(Mandatory=$True)]
          [String]$Identity      
        )
        Begin
        { 
            $DCCounter = 0 
            $LockedOutStats = @()   
                    
            Try
            {
                Import-Module ActiveDirectory -ErrorAction Stop
            }
            Catch
            {
               Write-Warning $_
               Break
            }
        }
        Process
        {
            $DomainControllers = Get-ADDomainController -Filter *
            $PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
            
            Write-Verbose "Finding the domain controllers in the domain"
            Foreach($DC in $DomainControllers)
            {
                $DCCounter++
                Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter/$DomainControllers.Count) * 100)
                Try
                {
                    $UserInfo = Get-ADUser -Identity $Identity  -Server $DC.Hostname -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut -ErrorAction Stop
                }
                Catch
                {
                    Write-Warning $_
                    Continue
                }
                If($UserInfo.LastBadPasswordAttempt)
                {    
                    $LockedOutStats += New-Object -TypeName PSObject -Property @{
                            Name                   = $UserInfo.SamAccountName
                            SID                    = $UserInfo.SID.Value
                            LockedOut              = $UserInfo.LockedOut
                            BadPwdCount            = $UserInfo.BadPwdCount
                            BadPasswordTime        = $UserInfo.BadPasswordTime            
                            DomainController       = $DC.Hostname
                            AccountLockoutTime     = $UserInfo.AccountLockoutTime
                            LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime()
                        }          
                }
            }
            $LockedOutStats | Format-Table -Property Name,LockedOut,DomainController,BadPwdCount,AccountLockoutTime,LastBadPasswordAttempt -AutoSize
    
          
            Try
            {  
               Write-Verbose "Querying event log on $($PDCEmulator.HostName)"
               $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
            }
            Catch 
            {          
               Write-Warning $_
               Continue
            }    
                           
            Foreach($Event in $LockedOutEvents)
            {            
               If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
               { 
                  $Event | Select-Object -Property @(
                    @{Label = 'User';               Expression = {$_.Properties[0].Value}}
                    @{Label = 'DomainController';   Expression = {$_.MachineName}}
                    @{Label = 'EventId';            Expression = {$_.Id}}
                    @{Label = 'LockedOutTimeStamp'; Expression = {$_.TimeCreated}}
                    @{Label = 'Message';            Expression = {$_.Message -split "`r" | Select -First 1}}
                    @{Label = 'LockedOutLocation';  Expression = {$_.Properties[1].Value}}
                  )                                    
                }      
           }
        }
       
    }

    I'm satisfied with the end result, but today was trying to find why a user keeps getting locked out. and the result was "Workstation" so trying to find out the IP of that workstation. Please Advise!

  • #75182
    Profile photo of edwin arlington
    edwin arlington
    Participant

You must be logged in to reply to this topic.