To track the source of account lockouts in Active Directory using PowerShell, you can follow these steps:
- Open PowerShell with administrative privileges on a domain controller or a workstation that has the Active Directory PowerShell module installed.
- Run the following command to enable the Account Management auditing policy on the domain controllers:python
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters" -Name "ExpensiveOn" -Value 2 -Type DWORDThis command enables the tracking of the “Account Lockout” event and adds it to the security log. - Run the following command to filter the security event logs for the Account Lockout event (event ID 4740):vbnet
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4740}This command retrieves all Account Lockout events from the security log. You can filter the events by date range or event source if needed. - Look for the “Caller Computer Name” field in the event details to identify the source of the lockout. This field shows the name of the computer where the lockout was generated.
- To retrieve more detailed information about the lockout source, you can use the following command to query the security log on the source computer:sql
Get-EventLog -LogName Security -ComputerName <computer_name> | Where-Object {$_.EventID -eq 4625 -and $_.Message -match "<locked_out_user_account>"}Replace <computer_name> with the name of the computer identified in step 4, and <locked_out_user_account> with the username of the account that was locked out. This command retrieves all failed logon attempts for the specified user on the source computer. Look for the “Logon Type” field to identify the type of logon attempt that caused the lockout (e.g., interactive, remote desktop, network, etc.).
By following these steps, you can track the source of account lockouts in Active Directory.