User account lockouts can be a common and frustrating issue for both IT administrators and end-users. Tracking down the source of these lockouts can be challenging, especially in a large Active Directory environment. Fortunately, PowerShell provides a powerful tool for finding user lockout events and identifying the root cause.
In this blog post, we'll explore a PowerShell script called Find-UserLockOut that can help you quickly locate user lockout events in your Active Directory environment. This script is designed to search through security event logs on all domain controllers to identify instances where a user account has been locked out. Let's dive into how this script works and how to use it effectively.
Understanding the Script
Before we get started with using the script, let's break down its functionality:
function Find-UserLockOut {
param (
$Name
)
$DCs = Get-ADDomainController -Filter *
$startDate = (Get-Date).AddDays(-1)
$properties = @(
'TimeCreated',
@{n='Account';e={$_.Properties[0].Value}},
@{n='ComputerName';e={$_.Properties[1].Value}}
)
foreach ($DC in $DCs){
Get-WinEvent -Computername $DC.Hostname -FilterHashTable @{LogName='Security'; ID=4740; StartTime=$startDate} | Where-Object Message -Match $Name | Select-Object $properties
}
}
Here's what each part of the script does:
param ($Name): This script takes a single parameter, which is the username you want to search for lockout events.$DCs = Get-ADDomainController -Filter *: This line retrieves a list of all domain controllers in the Active Directory domain.$startDate = (Get-Date).AddDays(-1): It defines a start date for the search, which is set to one day ago. You can adjust this value to search for lockout events within a different timeframe.$properties: This array defines the properties of the lockout events that you want to retrieve, including the timestamp, the locked account, and the name of the computer where the lockout occurred.The
foreachloop iterates through each domain controller ($DC) in the list of domain controllers obtained earlier.Get-WinEvent -Computername $DC.Hostname -FilterHashTable @{LogName='Security'; ID=4740; StartTime=$startDate}: This cmdlet retrieves Windows security events from the specified domain controller's security event log. It filters the events based on specific criteria, including the event ID 4740 (which corresponds to account lockout events) and the start date.Where-Object Message -Match $Name: This line further filters the events to find those that match the provided username ($Name).Select-Object $properties: Finally, the script selects and displays the desired properties of the matching events.
Using the Script
Now that we've discussed how the script works, let's see how to use it to find user lockout events in Active Directory:
Open PowerShell: Launch PowerShell with administrative privileges on a computer connected to your Active Directory domain.
Copy and Paste the Script: Copy the entire
Find-UserLockOutscript and paste it into your PowerShell session.Run the Script: To use the script, simply call it and provide the username you want to search for lockout events:
Find-UserLockOut -Name "username"Replace
"username"with the actual username you want to search for.Review the Results: The script will search through the security event logs on all domain controllers and display the relevant lockout events, including the timestamp, the locked account, and the computer where the lockout occurred.
Conclusion
User lockout events can disrupt user productivity and cause frustration. However, with the PowerShell script Find-UserLockOut, you can quickly identify the source of these lockouts in your Active Directory environment. By examining the provided timestamp and computer name, you can pinpoint the issue and take appropriate action to resolve it. PowerShell continues to be a valuable tool for IT administrators, offering automation and efficiency in managing Windows environments.