PowerShell – Searching for the cause of a user account that keeps getting locked out

Earlier this week a colleague was asked to troubleshoot an issue where a user account kept getting locked out. So, we wanted to know from which device the faulty credentials were being used that were causing this (perhaps some crappy application which was using ‘old’ credentials? we didn’t knew…).

So, with the following PowerShell ‘oneliner’ you can quickly search through the eventlog of a domain controller for the event which describes the faulty logon attempt (or attempts):

Get-EventLog -ComputerName DC01 “Security” -InstanceID “4740” -Message *”USERNAME”*

This will give you a bunch of information per event it has found, so to filter it so it will only show the message and the time the event was generated:

Get-Eventlog -ComputerName DC01 “Security” -InstanceID “4740” -Message *”USERNAME”* | Format-List Timegenerated, Message

But perhaps you’ve got multiple domain controllers that you want to search through?

Get-Eventlog –ComputerName ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindDomainController() “Security” -InstanceID “4740” -Message *”USERNAME”* | Format-List Timegenerated, Message

5 comments

  1. lalajee says:

    Hi i tired this it does work it just comes up with error

  2. Jeff Wouters says:

    What error do you get? The commands work fine in my environment…

  3. cap says:

    Worked fine. Thanks 🙂

  4. Joe Truman says:

    I know this is old but I changed the script around to make it work in my environment. (just in case someone needs to solve the same issue at hand)

    $ComputerName = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController().Name;

    $EventList = Get-Eventlog –ComputerName $ComputerName -LogName “Security” -InstanceID 4740 -Message *Username*;

    $EventList | Format-List -Property TimeGenerated,Message;

  5. Joe Truman says:

    I’m interested in testing this as an admin on my local machine, before testing it out on our domain. Looking at your second option I have reworked it so it looks a little nicer. When I replace $ComputerName with my computername it says that my computer name isnt a cmdlet or script that it can use. I

    $ComputerName = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController().Name;

    $EventList = Get-Eventlog –ComputerName $ComputerName -LogName “Security” -InstanceID 4740 -Message *Username*;

    $EventList | Format-List -Property TimeGenerated,Message;

Leave a Reply

Your email address will not be published. Required fields are marked *