I use this one once in awhile when I have a user or service account that is getting locked our repeatedly, and I need to see where its coming from.
You should be able to run this from your local computer. It will used the entered credentials to remote into the domain controllers and pull EventID’s 4740 and create a custom object to output.
#Input Domain Credentials
$creds = Get-Credential
#Change to your domain controller names
$domain_controllers = "DC1", "DC2", "DC3"
foreach ($dc in $domain_controllers) {
Invoke-Command -Computername $dc -Credential $creds -ScriptBlock {
$events = Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4740
}
foreach ($event in $events) {
[pscustomobject]@{
Username = $event.Properties[0].value
Location = $event.Properties[1].value
TimeStamp = $event.TimeCreated
}
}
}
Write-Host "----------------------------------------------"
}
You should get an output similar to this.

Hope you find this as useful as I do!
By day, I’m a systems admin for a medium size company in the Pacific Northwest.
By night, I’m a blogger, gamer, and all around general nerd.
If you found one of my articles useful, please consider supporting this site!
Monero: 48PxwMvbwoB2M86sHespLBKcSL9cWxrnJDmga9XshSqRP1joykRNpKkDGUz4ohhxD1bMH92poMyZWBBqkPmQ2bHpLP4EDnz
Bitcoin: bc1qc0fyze8x9lxp42x5p3zpry6f0lsr6l5pgq4jkh
Ethereum: 0xc613cBc79Ea4a84AE5538ec3321E214363305121