Aug 292019
 

Came accross this little gem. Useful for bruteforce and debugging

$userName = Read-Host "Enter Name of user or  for complete list"
$DomainControllers = Get-ADDomainController -Filter *
$PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
foreach($pdc in $PDCEmulator){
         $pdcName = $pdc.HostName #[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', "time-inc-corp"))).PdcRoleOwner.name
         write-host "Checking PDCEmulator: $pdcName" 
         Get-WinEvent -ComputerName $pdcName -FilterHashtable @{LogName='Security';Id=4740;StartTime=(Get-Date).AddDays(-1)} | Where-Object {$_.Properties[0].Value -like "$userName"} | Select-Object -Property TimeCreated, @{Label='UserName';Expression={$_.Properties[0].Value}},@{Label='ClientName';Expression={$_.Properties[1].Value}}
         }

  2 Responses to “Powershell script to see failed logins in AD”

  1. Practical

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)