AD – Noam's scripting blog

#VARIABLES $scriptpath = $MyInvocation.MyCommand.Path $dir = Split-Path $scriptpath #$dir is the path to the directory which the script is being run from $outputFile = "$dir\$(get-date -format "yyyy-MM-dd HH-mm-ss")_ObsoleteUsers.csv" #parameters $DaysBack = 30 #Gets users who haven't logged in for this number of days

#SCRIPT MAIN if (-not(Get-Module -name "activedirectory")) { Import-Module ActiveDirectory | out-null } $Date = (Get-Date).addDays(-$DaysBack) $Users = @() #Create blank array to hold users who haven't logged in for $DaysBack days Get-ADUser -filter {(LastLogon -le $Date) -and (Name -like "*")} -Properties Lastlogon,whenCreated | % { $LastLogon = $_.LastLogon $LastLogon_DT = [datetime]::FromFileTime("$LastLogon") #convert logon time to a datetime object $User = "" | select Name,LastLogon,FullName,WhenCreated #creating a custom object $User.Name = $_.SamAccountName $User.LastLogon = $LastLogon_DT $User.FullName = $_.Name $User.WhenCreated = $_.WhenCreated $Users += @($User) #Add user to $Users array } $ObsoleteUsers = $Users | sort-object Lastlogon #sorting results by last logon time $ObsoleteUsers | Export-CSV $outputFile -force -NoTypeInformation #Export results to CSV in script directory

################################################################################################################## ##Script: Get-ObsoleteUsers.ps1 ##Description: Gets users in the active directory who haven't logged in for a given number of days (specified #+ in the parameter $DaysBack) and then exports the results to CSV. ##Created by: Noam Wajnman ##Creation Date: March 5, 2013 ##Updated: March 31, 2014 ################################################################################################################### #VARIABLES $scriptpath = $MyInvocation.MyCommand.Path $dir = Split-Path $scriptpath $outputFile = "$dir\$(get-date -format "yyyy-MM-dd HH-mm-ss")_ObsoleteUsers.csv" #parameters $DaysBack = 30 #Gets users who haven't logged in for this number of days #SCRIPT MAIN if (-not(Get-Module -name "activedirectory")) { Import-Module ActiveDirectory | out-null } $Date = (Get-Date).addDays(-$DaysBack) $Users = @() #Create blank array to hold users who haven't logged in for $DaysBack days Get-ADUser -filter {(LastLogon -le $Date) -and (Name -like "*")} -Properties Lastlogon,whenCreated | % { $LastLogon = $_.LastLogon $LastLogon_DT = [datetime]::FromFileTime("$LastLogon") #convert logon time to a datetime object $User = "" | select Name,LastLogon,FullName,WhenCreated #creating a custom object $User.Name = $_.SamAccountName $User.LastLogon = $LastLogon_DT $User.FullName = $_.Name $User.WhenCreated = $_.WhenCreated $Users += @($User) #Add user to $Users array } $ObsoleteUsers = $Users | sort-object Lastlogon #sorting results by last logon time $ObsoleteUsers | Export-CSV $outputFile -force -NoTypeInformation #Export results to CSV in script directory

Keeping track of locked out accounts is important. Furthermore it can be important to know where and when an account was locked out. For instance the source of the lockout can be important to know if one of your users is complaining that his account is being locked but he doesn’t know why.
This script scans the event log of your DC and gets all lockout events and then exports them to a CSV. If you run this script regularly with the task scheduler you can document all locked out accounts along with the time and source of the lockouts.
I have split the script into three sections variables, functions and script main.

Variables

#VARIABLES
$scriptpath = $MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath #path to the directory from which the script is run.
$after = (get-date).addHours(-1) #time back to search the event log
$lockoutEventID = 4740 #event id of lockout
#parameters
$DC = "SomeDC" #Name of domain controller to scan event logs on

It is important to remember to enter the name of your DC in $DC in the parameters section. The rest can be left as is.

Functions

1. Function Get-LockoutEvents

function Get-LockoutEvents {
	param(
		$after,
		$lockoutEventID,
		$computerName = $env:COMPUTERNAME
	)
	$lockoutEvents = @(Get-EventLog -LogName "Security" -After $after -ComputerName $computerName | Where-Object {$_.EventID -eq $lockoutEventID})
	return $lockoutEvents
}

Get-LockoutEvents uses the powershell cmd-let Get-EventLog to scan the event log on the specified computer $computerName (should be a domain controller). It then returns an array containing the events found.
2. Function Parse-LockoutEvent

function Parse-LockoutEvent {
	param(
		$lockoutEvent
	)
	$EventTxt = $lockoutEvent.Message
	$bool = $EventTxt -match "(.*?)(Account That Was Locked Out:)[\S\s]+Account Name:[\s]+?(\w+)"
	$lockoutUser = $Matches[3]
	$lockoutTime = $lockoutEvent.TimeGenerated
	$lockoutSource = $lockoutEvent.Source
    $lockoutMessage = $lockoutEvent.Message -creplace "`n|`r",""    
	$lockoutMessage = $lockoutMessage -creplace "`t"," "
    
	$lockout = "" | select "User","Time","Source","Message"
	$lockout.User = $lockoutUser
	$lockout.Time = $lockoutTime
	$lockout.Source = $lockoutSource
    $lockout.Message = $lockoutMessage
	Return $lockout
}

This function takes a lockout event as a parameter and parses the most relevant parts to readable information. It returns a custom object with four properties user, time, source and message. User is the locked out user account. Time is the time of the lockout. Source is the entity which locked out the account. Message is the message text of the event which also normally includes the name/IP of where the account was locked out (in other words where the bad passwords were entered).
3. ExportToFile-LockoutEvents

function ExportToFile-LockoutEvents {
	param(
		$lockouts
	)
	$datestr = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
	$fileName = "$dir\Lockouts--$datestr.csv"
	$lockouts | Export-Csv $fileName -NoTypeInformation
}

This little function simply takes an array of parsed lockoutevents and exports it to a CSV file with a time stamp.

Script Main

#SCRIPT MAIN
$lockouts = @()
$lockoutEvents = Get-LockoutEvents -after $after -lockoutEventID $lockoutEventID
if ($lockoutEvents) {
	$lockoutEvents | % {	
	    $lockout = Parse-lockoutEvent -lockoutEvent $_
		$lockouts += @($lockout)
	}
	$lockouts #print the lockout events to the console
	ExportToFile-LockoutEvents -lockouts $lockouts #export the lockout events to CSV
}

In the script main I start by creating the blank array $lockouts. I then use the function Get-LockoutEvents to get the information and store it in another object called $lockoutEvents. If any lockout events were found they are parsed and then added to the array $lockouts which is then exported to a CSV file (and printed to the console window).
I have copied in the full script below. Enjoy!

##################################################################################################################
##Script:			Get-LockedOutAccounts.ps1
##Description: 		Script gets lockout events from the event log and parses them before exporting to CSV.
##Usage:			
##Created by:		Noam Wajnman
##Creation Date:	March 5, 2014
###################################################################################################################
#VARIABLES
$scriptpath = $MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath #path to the directory from which the script is run.
$after = (get-date).addHours(-1) #time back to search the event log
$lockoutEventID = 4740 #event id of lockout
#parameters
$DC = "SomeDC" #Name of domain controller to scan event logs on
#FUNCTIONS
function Get-LockoutEvents {
	param(
		$after,
		$lockoutEventID,
		$computerName = $env:COMPUTERNAME
	)
	$lockoutEvents = @(Get-EventLog -LogName "Security" -After $after -ComputerName $computerName | Where-Object {$_.EventID -eq $lockoutEventID})
	return $lockoutEvents
}
function Parse-LockoutEvent {
	param(
		$lockoutEvent
	)
	$EventTxt = $lockoutEvent.Message
	$bool = $EventTxt -match "(.*?)(Account That Was Locked Out:)[\S\s]+Account Name:[\s]+?(\w+)"
	$lockoutUser = $Matches[3]
	$lockoutTime = $lockoutEvent.TimeGenerated
	$lockoutSource = $lockoutEvent.Source
    $lockoutMessage = $lockoutEvent.Message -creplace "`n|`r",""    
	$lockoutMessage = $lockoutMessage -creplace "`t"," "
    
	$lockout = "" | select "User","Time","Source","Message"
	$lockout.User = $lockoutUser
	$lockout.Time = $lockoutTime
	$lockout.Source = $lockoutSource
    $lockout.Message = $lockoutMessage
	Return $lockout
}
function ExportToFile-LockoutEvents {
	param(
		$lockouts
	)
	$datestr = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
	$fileName = "$dir\Lockouts--$datestr.csv"
	$lockouts | Export-Csv $fileName -NoTypeInformation
}
#SCRIPT MAIN
$lockouts = @()
$lockoutEvents = Get-LockoutEvents -after $after -lockoutEventID $lockoutEventID
if ($lockoutEvents) {
	$lockoutEvents | % {	
	    $lockout = Parse-lockoutEvent -lockoutEvent $_
		$lockouts += @($lockout)
	}
	$lockouts #print the lockout events to the console
	ExportToFile-LockoutEvents -lockouts $lockouts #export the lockout events to CSV
}

Noam's scripting blog

"Ready to use" scripts and scripting tips for system admins with detailed walkthroughs/explanations.

AD

Powershell – Get locked out AD user accounts and export to CSV

Variables

Functions

Script Main

Variables

Script Main

Share this:

Like this:

Variables

Functions

Script Main

Share this:

Like this: