Trying to Get the lockout source IP using sec event log. please advise

Welcome Forums General PowerShell Q&A Trying to Get the lockout source IP using sec event log. please advise

This topic contains 1 reply, has 2 voices, and was last updated by

 
Inactive
1 year, 7 months ago.

  • Author
    Posts
  • #75041
    Del

    Participant
    Points: 0
    Rank: Member

    Here's the script that I am using to to get the source of the lockout.

    Function Get-LockedOutLocation
    {
    
        [CmdletBinding()]
    
        Param(
          [Parameter(Mandatory=$True)]
          [String]$Identity      
        )
        Begin
        { 
            $DCCounter = 0 
            $LockedOutStats = @()   
                    
            Try
            {
                Import-Module ActiveDirectory -ErrorAction Stop
            }
            Catch
            {
               Write-Warning $_
               Break
            }
        }
        Process
        {
            $DomainControllers = Get-ADDomainController -Filter *
            $PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
            
            Write-Verbose "Finding the domain controllers in the domain"
            Foreach($DC in $DomainControllers)
            {
                $DCCounter++
                Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter/$DomainControllers.Count) * 100)
                Try
                {
                    $UserInfo = Get-ADUser -Identity $Identity  -Server $DC.Hostname -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut -ErrorAction Stop
                }
                Catch
                {
                    Write-Warning $_
                    Continue
                }
                If($UserInfo.LastBadPasswordAttempt)
                {    
                    $LockedOutStats += New-Object -TypeName PSObject -Property @{
                            Name                   = $UserInfo.SamAccountName
                            SID                    = $UserInfo.SID.Value
                            LockedOut              = $UserInfo.LockedOut
                            BadPwdCount            = $UserInfo.BadPwdCount
                            BadPasswordTime        = $UserInfo.BadPasswordTime            
                            DomainController       = $DC.Hostname
                            AccountLockoutTime     = $UserInfo.AccountLockoutTime
                            LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime()
                        }          
                }
            }
            $LockedOutStats | Format-Table -Property Name,LockedOut,DomainController,BadPwdCount,AccountLockoutTime,LastBadPasswordAttempt -AutoSize
    
          
            Try
            {  
               Write-Verbose "Querying event log on $($PDCEmulator.HostName)"
               $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
            }
            Catch 
            {          
               Write-Warning $_
               Continue
            }    
                           
            Foreach($Event in $LockedOutEvents)
            {            
               If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
               { 
                  $Event | Select-Object -Property @(
                    @{Label = 'User';               Expression = {$_.Properties[0].Value}}
                    @{Label = 'DomainController';   Expression = {$_.MachineName}}
                    @{Label = 'EventId';            Expression = {$_.Id}}
                    @{Label = 'LockedOutTimeStamp'; Expression = {$_.TimeCreated}}
                    @{Label = 'Message';            Expression = {$_.Message -split "`r" | Select -First 1}}
                    @{Label = 'LockedOutLocation';  Expression = {$_.Properties[1].Value}}
                  )                                    
                }      
           }
        }
       
    }

    I'm satisfied with the end result, but today was trying to find why a user keeps getting locked out. and the result was "Workstation" so trying to find out the IP of that workstation. Please Advise!

  • #75182

    Inactive
    Points: 0
    Rank: Member

The topic ‘Trying to Get the lockout source IP using sec event log. please advise’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort