I use this one once in awhile when I have a user or service account that is getting locked our repeatedly, and I need to see where its coming from.
You should be able to run this from your local computer. It will used the entered credentials to remote into the domain controllers and pull EventID’s 4740 and create a custom object to output.
#Input Domain Credentials
$creds = Get-Credential
#Change to your domain controller names
$domain_controllers = "DC1", "DC2", "DC3"
foreach ($dc in $domain_controllers) {
Invoke-Command -Computername $dc -Credential $creds -ScriptBlock {
$events = Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4740
}
foreach ($event in $events) {
[pscustomobject]@{
Username = $event.Properties[0].value
Location = $event.Properties[1].value
TimeStamp = $event.TimeCreated
}
}
}
Write-Host "----------------------------------------------"
}You should get an output similar to this.
Hope you find this as useful as I do!
By day, I’m a systems admin for a medium size company in the Pacific Northwest.
By night, I’m a blogger, gamer, and all around general nerd.