How to find bad password attempts in Active Directory using PowerShell
Using PowerShell scripts, admins can check bad logon attempts by users and the resulting account lockouts. ADSelfService Plus, an AD self-service password management, MFA, and SSO solution, audits AD users' login attempts and authentication status. It also displays the list of users locked out of their domain accounts with its Locked Out Users Report. Here is a comparison between using PowerShell commands and ADSelfService Plus to obtain information on bad logon attempts and account lockouts.
Get-ADUser -Filter * -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut
To access the Locked Out Users Report
- Go to Reports > User Reports > Locked Out Users Report.
To access the User Attempts Audit Report
- Go to Reports > Audit Reports > User Attempts Audit Report.
Report filtering and generation steps:
- In the report's page, specify the domain using the Select Domain option.
- Use the Add OUs option to specify OUs if necessary.
- Then, click Generate to generate the report.
- Quicker access:
Access the ADSelfService Plus reports in just a few clicks. Option to filter the reports according to domain and OU.
- Detailed reports::
View comprehensive reports that contain details such as device used for login, password expiry date, password last set, etc.
- Report customization:
Add additional columns to the reports for more information on the user login attempts and account lockouts. Similarly, remove columns according to requirement. Sort the reports entries in ascending or descending order.
- Report search:
Search for specific information in the columns displayed.
- Report export:
Export the reports in various formats like CSV, CSVDE, HTML, PDF, and XLS to desired email addresses.
- Report scheduling:
Schedule the reports to get generated and mailed to the admin or the manager at regular intervals.
- Extensive reports:
Access up to 16 out-of-the-box reports that give admins a holistic view of users' password and account status, identity verification attempts, enrollment, and self-service actions in all configured domains.