Powershell, List Failed Logon Attempts

How many times as an administrator do you hear about someones account being locked. It can be very problematic for the user, especially when they don't know where it is being locked out from.

What do you do? Purchase an expensive vendor supplied application to parse the logs looking for all the locations from which the users Id is logged on? Well you could, but there is an easier way...

Most domains, use the PDC emulator role. The server with this role receives event log entries for;

  • Authentication failures that occur at a given DC in a domain because of an incorrect password.
  • Account lockouts.

We can leverage these logs using powershell to determine what system or device is causing an account to be locked, here's how...

  • Determine what user we are looking for, or is it all of them?
$userName = Read-Host "Enter Name of user or <CR> for complete list"

This will prompt for the logon id of the user. If you simply press enter, then a list of all users failed logons will be displayed.

  • Determine what domain controller has the PDC Emulator role.
$DomainControllers = Get-ADDomainController -Filter *
$PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})

Here we do two items, the first is to get the list of domain controllers and the second is to filter that list to only those with the PDCEmulator role installed.

  • Look through the logs on that server.
foreach($pdc in $PDCEmulator){
        $pdcName = $pdc.HostName
        write-host "Checking PDCEmulator: $pdcName" 
        Get-WinEvent -ComputerName $pdcName -FilterHashtable @{LogName='Security';Id=4740;StartTime=(Get-Date).AddDays(-1)} | Where-Object {$_.Properties[0].Value -like "*$userName*"} | Select-Object -Property TimeCreated, @{Label='UserName';Expression={$_.Properties[0].Value}},@{Label='ClientName';Expression={$_.Properties[1].Value}}
        }

Here we loop through all of the PDCEmulators we located and review their logs. We only want to look at the Security logs which have an event id of 4740 and have occurred in the last day.

Of those logs, we check of the value property has the username in them. If so, we select the TimeCreated field, and property values 0 and 1 which happen to be the user id and the system that encountered the event. In this case that is the system on which the failed logon occurred.

This information is then output in the following format on the screen.

ps_list_failed_logons

 You can click here to download the full psListAllFailedLogons.ps1 script.

Leave a Reply