Hello,
Find Active Directory User Lockout Origin can be pretty tricky. The first step is to find the Domain Controller on wich the lockout happens.
Finding the Domain Controller
Microsoft provides us a tool to do that :
https://www.microsoft.com/en-us/download/details.aspx?id=15201
LockoutStatus.exe is a tool that will tell you the name of the Domain Controller that locked our user.
Once you installed the tool, you will find it in “C:Program Files (x86)Windows Resource KitsToolslockoutstatus.exe”.
Click on “File” :
Click on “Select Target…” :
Type the name of our user :
Wait a few minutes, depending of the size your Active Directory domain :
Here you go, in the last column, you get the “Orig Lock” that contains the name of the Domain Controller that locked our user :
Find Active Directory User Lockout Origin
Once you have the Domain Controller name, you can query it to get the computer causing the lockout. For this part, Powershell will be out friend :
$DCName = 'DC1' $User='IWantToBeLocked' Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 7200000]] and EventData[Data[@Name='TargetUserName']='$User']]" -ComputerName $DCName | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
We are using the Get-WinEvent cmdlet combine with a precise xPath filter and targeting the Domain Controller that locked our user :
Note : You need to change the $DCName and $User to match your investigation.
And voilĂ , we have the computer name of the culprit ! Now, you can persue your investigations on the computer named “Client1”. You can look in mapped drives, printers, saved credentials, Outlook, Skype, scheduled tasks, etc…
Pingback: Get EventLog Event Details Content PowerShell - It for DummiesIt for Dummies