Earlier this week a colleague was asked to troubleshoot an issue where a user account kept getting locked out. So, we wanted to know from which device the faulty credentials were being used that were causing this (perhaps some crappy application which was using ‘old’ credentials? we didn’t knew…).
So, with the following PowerShell ‘oneliner’ you can quickly search through the eventlog of a domain controller for the event which describes the faulty logon attempt (or attempts):
Get-EventLog -ComputerName DC01 “Security” -InstanceID “4740” -Message *”USERNAME”*
This will give you a bunch of information per event it has found, so to filter it so it will only show the message and the time the event was generated:
Get-Eventlog -ComputerName DC01 “Security” -InstanceID “4740” -Message *”USERNAME”* | Format-List Timegenerated, Message
But perhaps you’ve got multiple domain controllers that you want to search through?
Get-Eventlog –ComputerName ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindDomainController() “Security” -InstanceID “4740” -Message *”USERNAME”* | Format-List Timegenerated, Message