Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

How to find out the source of an account lockout using PowerShell and ADAudit Plus

One of the biggest challenges of IT administrators is to track the source of an account lockout. You can always get this information using Windows PowerShell but that would be a complicated process. Alternatively, you can use a comprehensive AD auditing tool like ADAudit Plus to achieve this goal.

This article compares how you can track the source of an account lockout using Windows PowerShell and ADAudit Plus:

PowerShell

Steps to obtain the source of an account lockout with PowerShell:

  • Identify the domain from which you want to retrieve the report.
  • Identify the LDAP attributes you need to fetch the report.
  • Identify the primary DC to retrieve the report.
  • Compile the script.
  • Execute it in Windows PowerShell
  • The report will be exported in the given format.
  • To obtain the report in a different format, modify the script according to the needs of the user.

Sample Windows PowerShell script

#requires -Module ActiveDirectory
#Import-Module ActiveDirectory -EA Stop
Function Get-AccountLockoutStatus {
    [CmdletBinding()]
    param(
        [Parameter(
        ValueFromPipeline=$true,
        ValueFromPipelineByPropertyName=$true,
        Position=0)]
        [string[]]
        $ComputerName = (Get-ADDomainController -Filter * |  select -ExpandProperty Name),
        [Parameter()]
        [string]
        $Username,
        [Parameter()]
        [int]          
        $DaysFromToday = 3     
    )
     BEGIN {
        $Object = @()
    }
    PROCESS {
        Foreach ($Computer in $ComputerName) {
            try {
                $EventID = Get-WinEvent -ComputerName $Computer -FilterHashtable @{Logname = 'Security'; ID = 4740; StartTime = (Get-Date).AddDays(-$DaysFromToday)} -EA 0
                Foreach ($Event in $EventID) {
                    $Properties = @{Computername   = $Computer
                                    Time           = $Event.TimeCreated
                                    Username       = $Event.Properties.value[0]
                                    CallerComputer = $Event.Properties.value[1]
                                    }
                    $Object += New-Object -TypeName PSObject -Property $Properties | Select ComputerName, Username, Time, CallerComputer
                }
 
            } catch {
                $ErrorMessage = $Computer + " Error: " + $_.Exception.Message
                    
            } finally {
                if ($Username) {
                        Write-Output $Object | Where-Object {$_.Username -eq $Username}
                    } else {
                        Write-Output $Object
                }
                $Object = $null
            }
        }   
    }     
    END {}
}
 Copied
Click to copy entire script

ADAudit Plus

To obtain the report,

  • Login to ADAudit Plus web console.
  • Navigate to Reports -> User Management -> Account Lockout Analyzer
  • In the 'Domain' drop down menu, select either the required domain or select 'All Domains'.
  • Use the 'Search' option to filter for specific user names, or domain controller, if required.
  • Obtain a list of all the account lockouts for a time period of your choice.
    powershell-account- locked-out-source-1
  • Select 'Analyzer Details' to get granular details about the source of a particular lockout.
    powershell-account- locked-out-source-2
  • Review the results that ADAudit Plus gives you: An analysis of the various components that could be the source of an account lockout.
 

The following are the limitations of using PowerShell to track the source of an account lockout:

  • We can run this script only from the computers which has Active Directory Domain Services role.
  • To change date formats, apply different time zones on the results, and to export the report in different formats, the script has to be modified.
  • Applying more filters, like 'During business hours', will increase the LDAP query complexity.

On the other hand, ADAudit Plus will quickly scan all DCs in the domain to retrieve information about the probable source of an account lockout in the form of an intuitive report. IT administrators can use this information to investigate and solve the problem.

  • Avoid complex PowerShell-scripting, and simplify AD change auditing with ADAudit Plus.
  •  
  • By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.
  •  
  • Thanks!
  • Your download is in progress and it will be completed in just a few seconds! If you face any issues, download manually here.

Related Resources

ADAudit Plus Trusted By