Find user account lock out events

Retrieve event id 7470 instances from the security event logs to gives details of the user account, the time and location of the lock out. Can filter a specified number of days back and/or a specific user name

Version: 1.5.10
Created: 2020-07-24
Modified: 2020-08-04
Creator: Guy Leech
Downloads: 11
Tags:
The Script Copy Script Copied to clipboard

<# Look for account lock out events on all selected domain controllers @guyrleech 24/07/2020 #>

[CmdletBinding()]

Param
(
[double]$daysAgo = 1 ,
[string]$username
)

$VerbosePreference = $(if( $PSBoundParameters[ ‘verbose’ ] ) { $VerbosePreference } else { ‘SilentlyContinue’ })
$DebugPreference = $(if( $PSBoundParameters[ ‘debug’ ] ) { $DebugPreference } else { ‘SilentlyContinue’ })
$ErrorActionPreference = $(if( $PSBoundParameters[ ‘erroraction’ ] ) { $ErrorActionPreference } else { ‘Stop’ })

[int]$outputWidth = 400
[string]$message = $null

# Altering the size of the PS Buffer
if( ( $PSWindow = (Get-Host).UI.RawUI ) -and ($WideDimensions = $PSWindow.BufferSize) )
{
$WideDimensions.Width = $outputWidth
$PSWindow.BufferSize = $WideDimensions
}

[datetime]$startDate = (Get-Date).AddDays( -$daysAgo )

## Invoke command will run some in parallel and Get-WinEvent will only take a single machine
[array]$events = @( Get-WinEvent -FilterHashtable @{ LogName = ‘Security’ ; Id = 4740 ; StartTime = $startDate } -ErrorAction SilentlyContinue )

if( $events -and $events.Count )
{
Write-Verbose -Message “Found $($events.Count) events”

<# Properties array: TargetUserName johndoe TargetDomainName GLS16MCS01 TargetSid S-1-5-21-1721611859-3364803896-2099701507-2124 SubjectUserSid S-1-5-18 SubjectUserName GRL-DC03$ SubjectDomainName GUYRLEECH SubjectLogonId 0x3e7 #>
[array]$filtered = @( $events | Where-Object { [string]::IsNullOrEmpty( $username ) -or $_.properties[0].value -eq $username } | Select-Object -Property TimeCreated,@{n=’User name’;e={$_.Properties[0].value}},@{n=’Computer name’;e={$_.Properties[1].value}} | Sort-Object -Property TimeCreated )
if( $filtered -and $filtered.Count )
{
$filtered | Format-Table -AutoSize
}
else
{
$message = “Found no lock out events in last $daysAgo days”
if( ! [string]::IsNullOrEmpty( $username ) )
{
$message += ” for user $username”
}
}
}
else
{
$message = “No lock out events found in last $daysAgo days”
}

if( ! [string]::IsNullOrEmpty( $message ) )
{
if( $oldestEvent = Get-WinEvent -Oldest -LogName Security -ErrorAction SilentlyContinue -MaxEvents 1 )
{
$message += “, oldest event in security event log is from $(Get-Date -Date $oldestEvent.TimeCreated -Format G)”
}
Write-Output -InputObject $message
}

START YOUR TRIAL

Get Your Download Link

Gain access to ControlUp from your PC. Register and get a link to start your Free Trial.