Related features:

Related Powershell Guides:

How to find bad password attempts in Active Directory using PowerShell

Using PowerShell scripts, admins can check bad logon attempts by users and the resulting account lockouts. ADSelfService Plus, an AD self-service password management, MFA, and SSO solution, audits AD users' login attempts and authentication status. It also displays the list of users locked out of their domain accounts with its Locked Out Users Report. Here is a comparison between using PowerShell commands and ADSelfService Plus to obtain information on bad logon attempts and account lockouts.

With PowerShell

Run the following script to generate information on accounts locked out because of wrong password attempts:

Get-ADUser -Filter * -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut
With ADSelfService Plus

To access the Locked Out Users Report

  1. Go to Reports > User Reports > Locked Out Users Report.

To access the User Attempts Audit Report

  1. Go to Reports > Audit Reports > User Attempts Audit Report.

Report filtering and generation steps:

  1. In the report's page, specify the domain using the Select Domain option.
  2. Use the Add OUs option to specify OUs if necessary.
  3. Then, click Generate to generate the report.
    User logon attempts audit report in ADSelfService Plus
    Locked out users report in ADSelfService Plus

Advantages of ADSelfService Plus:

  • Quicker access: Access the ADSelfService Plus reports in just a few clicks. Option to filter the reports according to domain and OU.
  • Detailed reports: View comprehensive reports that contain details such as device used for login, password expiry date, password last set, etc.
  • Report customization: Add additional columns to the reports for more information on the user login attempts and account lockouts. Similarly, remove columns according to requirement. Sort the reports entries in ascending or descending order.
  • Report search: Search for specific information in the columns displayed.
  • Report export: Export the reports in various formats like CSV, CSVDE, HTML, PDF, and XLS to desired email addresses.
  • Report scheduling: Schedule the reports to get generated and mailed to the admin or the manager at regular intervals.
  • Extensive reports: Access up to 16 out-of-the-box reports that give admins a holistic view of users' password and account status, identity verification attempts, enrollment, and self-service actions in all configured domains.

Using PowerShell to find bad password attempts in Active Directory

Step 1: Retrieve users with bad password attempts

Run the script below to list the users with recent failed login attempts. This will list all accounts that are currently locked due to too many failed login attempts.

Search-ADAccount -LockedOut | Select-Object Name, SamAccountName, LockedOut

Step 2: Check failed login attempts in event logs

Use event logs to find users with repeated incorrect passwords. Here, event ID 4625 indicates a failed login attempt. The output includes timestamps and detailed messages.

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Select-Object TimeCreated, Message

Step 3: Generate a report of bad logins

Export failed login attempts to a CSV file for auditing. The script below creates a CSV report of all failed login attempts.

$FailedLogins = Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 }
$FailedLogins | Select-Object TimeCreated, Message | Export-Csv -Path "C:\Reports\FailedLogins.csv" -NoTypeInformation

Step 4: Notify the security team

Send an email alert if bad login attempts exceed a threshold. The script below will ensure IT security is alerted if more than 5 failed attempts occur within an hour.

$failedAttempts = (Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 }).Count

if ($failedAttempts -gt 5) {
Send-MailMessage -To "security@yourdomain.com" -From "admin@yourdomain.com" -Subject "Alert: Excessive Failed Login Attempts" -Body "More than 5 failed login attempts detected in the last hour."
}

FAQs

1. How do I check failed login attempts in AD?

Use event logs to check failed login attempts in AD by running the script below:

Get-EventLog -LogName Security -InstanceId 4625

2. Can I track failed logins for a specific user?

Yes, you can track failed logins for a specific user by running the script below:

Get-EventLog -LogName Security -InstanceId 4625 | Where-Object {$_.Message -match "username"}

3. How can I lock accounts after multiple failed attempts?

Use Account Lockout Policy settings in AD to lock accounts after multiple failed attempts.

Stay informed of users' AD password and enrollment status, and self-service actions

Try it now for free

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link