Contact Us

Disclamer

Visit our disclaimer policy before making any changes to your system which may negatively impact the performance or make your system unresponsive.

Finding Users Active Directory Lockout Source

Find out which device is causing an user account to continuously being locked out.

Table of Contents

Intro

When running this code, it is best to run it as Domain Admin with fewer privileges that can cause errors.

Code

				
					Import-Module ActiveDirectory
$UserName = Read-Host "Please enter username"
#Get main DC
$PDC = (Get-ADDomainController -Filter * | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
#Get user info
$UserInfo = Get-ADUser -Identity $UserName
#Search PDC for lockout events with ID 4740
$LockedOutEvents = Get-WinEvent -ComputerName $PDC.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
#Parse and filter out lockout events
Foreach($Event in $LockedOutEvents)
{
    If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
    {

      $Event | Select-Object -Property @(
        @{Label = 'User'; Expression = {$_.Properties[0].Value}}
        @{Label = 'DomainController'; Expression = {$_.MachineName}}
        @{Label = 'EventId'; Expression = {$_.Id}}
        @{Label = 'LockoutTimeStamp'; Expression = {$_.TimeCreated}}
        @{Label = 'Message'; Expression = {$_.Message -split "`r" | Select -First 1}}
        @{Label = 'LockoutSource'; Expression = {$_.Properties[1].Value}}
      )

    }
}
Picture of Murphy
Murphy
Michael “Murphy” has BA in Computer Technology from Wayne State University and is a System Engineer for a food manufacturer in the Chicagoland area.
Migrating Azure AD Connect
July 30, 2024

Don’t waste time figuring out how to migrate Azure Active Directory from one server to another. Do it quick and don’t waste your time and get it done within an hour.

Read More »
Contact Us

Contact Us