Quick & Dirty: Account Lockout Events

The following will get all account lockout events from all writable domain controllers in the current domain and output the information to a text file. Active Directory Powershell Module is required.

ipmo activedirectory;$(Get-ADDomainController -Filter  {(OperatingSystem -ne "") -and (IsReadOnly -ne "True")} | %{Get-WinEvent -ComputerName $_.name -LogName security -FilterXPath "*[System[EventID='4740']]" | Select machinename,TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}}) | Out-File C:\temp\lockout.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.