Quick Script: Get AD Lockouts

I use this one once in awhile when I have a user or service account that is getting locked our repeatedly, and I need to see where its coming from.

You should be able to run this from your local computer. It will used the entered credentials to remote into the domain controllers and pull EventID’s 4740 and create a custom object to output.

#Input Domain Credentials
$creds = Get-Credential

#Change to your domain controller names
$domain_controllers = "DC1", "DC2", "DC3"
foreach ($dc in $domain_controllers) {
    Invoke-Command -Computername $dc -Credential $creds -ScriptBlock {
        $events = Get-WinEvent -FilterHashtable @{
            LogName = 'Security'
            ID      = 4740
        foreach ($event in $events) {
                Username  = $event.Properties[0].value
                Location  = $event.Properties[1].value
                TimeStamp = $event.TimeCreated
    Write-Host "----------------------------------------------"

You should get an output similar to this.

Hope you find this as useful as I do!

Leave a Reply

Your email address will not be published. Required fields are marked *