Account Lockout Eventlog Search on AD server
We usually face challange to pull account lockout source on domain controller security eventlog, although we have nice friendly gui view in event logs, sometime that wont help us to analyze account lockout source. One of my user had account lockout issue every One Minute once.by using native powershell method i found this below query to identify the source of account lockout.
# Specify the log name and a filter for Event ID (if needed)
$LogName = "Security"
$EventID = 4771 # Example Event ID
# Retrieve and extract specific information (e.g., Client Address)
Get-WinEvent -FilterHashtable @{LogName = $LogName; Id = $EventID}|where {$_.message -match "Nameoftheaccount"} | ForEach-Object {
# Extract "Client Address" from the message
if ($_.Message -match "Client Address:\s+(\S+)") {
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
EventID = $_.Id
ClientAddress = $matches[1] # Extracted IP or address
}
}
}
