To find the source of account lockouts in Active Directory using PowerShell, follow these steps:
- Open PowerShell with administrative privileges.
- Run the following command to import the Active Directory module:
Import-Module ActiveDirectory
- Run the following command to filter the Security event log for Event ID 4740, which indicates an account lockout:
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4740}
- The output will display the details of the lockout event, including the time of the event, the affected user account, and the name of the domain controller where the event was recorded.
- To get more detailed information about the lockout event, including the source workstation where the lockout occurred, run the following command:
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4740} | ForEach-Object {
$event = [xml]$_.ToXml()
$event.Event.EventData.Data | where { $_.Name -eq 'TargetUserName' } | Select-Object '#text'
$event.Event.EventData.Data | where { $_.Name -eq 'TargetDomainName' } | Select-Object '#text'
$event.Event.EventData.Data | where { $_.Name -eq 'TargetSid' } | Select-Object '#text'
$event.Event.EventData.Data | where { $_.Name -eq 'IpAddress' } | Select-Object '#text'
$event.Event.EventData.Data | where { $_.Name -eq 'WorkstationName' } | Select-Object '#text'
$event.Event.EventData.Data | where { $_.Name -eq 'CallerComputerName' } | Select-Object '#text'
}
This will output detailed information about the lockout event, including the affected user account, the domain where the account is located, the source IP address of the lockout, the name of the workstation where the lockout occurred, and the name of the computer from which the lockout was initiated. By analyzing this information, you can determine the source of the account lockout and take appropriate action to prevent it from happening again.