Aug 292019
Came accross this little gem. Useful for bruteforce and debugging
$userName = Read-Host "Enter Name of user or for complete list" $DomainControllers = Get-ADDomainController -Filter * $PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"}) foreach($pdc in $PDCEmulator){ $pdcName = $pdc.HostName #[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', "time-inc-corp"))).PdcRoleOwner.name write-host "Checking PDCEmulator: $pdcName" Get-WinEvent -ComputerName $pdcName -FilterHashtable @{LogName='Security';Id=4740;StartTime=(Get-Date).AddDays(-1)} | Where-Object {$_.Properties[0].Value -like "$userName"} | Select-Object -Property TimeCreated, @{Label='UserName';Expression={$_.Properties[0].Value}},@{Label='ClientName';Expression={$_.Properties[1].Value}} }
Awesome
Practical