Saturday, 23 November 2024

Eventlog Report with powershell

Account Lockout Eventlog Search on AD server 


 We usually face challange to pull account lockout source on domain controller security eventlog, although we have nice friendly gui view in event logs, sometime that wont help us to analyze account lockout source. One of my user had account lockout issue every One Minute once.by using native powershell method i found this below query to identify the source of account lockout.

# Specify the log name and a filter for Event ID (if needed)

$LogName = "Security"

$EventID = 4771 # Example Event ID

# Retrieve and extract specific information (e.g., Client Address)

Get-WinEvent -FilterHashtable @{LogName = $LogName; Id = $EventID}|where {$_.message -match "Nameoftheaccount"} | ForEach-Object {

    # Extract "Client Address" from the message

    if ($_.Message -match "Client Address:\s+(\S+)") {

        [PSCustomObject]@{

            TimeCreated    = $_.TimeCreated

            EventID        = $_.Id

            ClientAddress  = $matches[1] # Extracted IP or address

        }

    }

}

#happy learning...

No comments:

Post a Comment