Earlier this week a colleague was asked to troubleshoot an issue where a user account kept getting locked out. So, we wanted to know from which device the faulty credentials were being used that were causing this (perhaps some crappy application which was using ‘old’ credentials? we didn’t knew…).
So, with the following PowerShell ‘oneliner’ you can quickly search through the eventlog of a domain controller for the event which describes the faulty logon attempt (or attempts):
Get-EventLog -ComputerName DC01 "Security" -InstanceID "4740" -Message *"USERNAME"*
This will give you a bunch of information per event it has found, so to filter it so it will only show the message and the time the event was generated:
Get-Eventlog -ComputerName DC01 "Security" -InstanceID "4740" -Message *"USERNAME"* | Format-List Timegenerated, Message
But perhaps you’ve got multiple domain controllers that you want to search through?
Get-Eventlog –ComputerName ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindDomainController() "Security" -InstanceID "4740" -Message *"USERNAME"* | Format-List Timegenerated, Message
Previous Entries
Categories
Tag Cloud
Blog RSS
Comments RSS
Last 50 Posts
Back
Void 
Life 
Earth 
Wind 
Water 
Fire