adminze

Powershell script to see failed logins in AD

 Uncategorized  2 Responses »
Aug 292019
 

Came accross this little gem. Useful for bruteforce and debugging

$userName = Read-Host "Enter Name of user or  for complete list"
$DomainControllers = Get-ADDomainController -Filter *
$PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
foreach($pdc in $PDCEmulator){
         $pdcName = $pdc.HostName #[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', "time-inc-corp"))).PdcRoleOwner.name
         write-host "Checking PDCEmulator: $pdcName" 
         Get-WinEvent -ComputerName $pdcName -FilterHashtable @{LogName='Security';Id=4740;StartTime=(Get-Date).AddDays(-1)} | Where-Object {$_.Properties[0].Value -like "$userName"} | Select-Object -Property TimeCreated, @{Label='UserName';Expression={$_.Properties[0].Value}},@{Label='ClientName';Expression={$_.Properties[1].Value}}
         }
 Older Entries  Newer Entries