Who unlocked that Account?

Today when I logged into my pc, I was greeted with an email from the Information Security group telling me that they were notified that I attempted to unlock a users account.

Well, that isn't surprising, I unlock accounts all the time.

Apparently the Information Security group had just gotten a new toy that notified then when user accounts were unlocked and by whom.

I won't go into all the issues I have with this, but it did start me thinking...

The company probably paid a lot of money for this utility, and I am sure it does more than just this one thing, but it seemed to me that I could write something that would do the same thing for a fraction, that fraction being 0%, of the cost of that utility.

Here is what I came up with;

  1. Determine the event id from the security log that identifies a user account was unlocked. (done, it is event id 4767)
  2. Look at the logs on the domain controller and list Time that the event was created, the user whose id was unlocked and who did the unlocking.

So, here is the powershell snippit that I used to get the information;

$dcName = "<Domain controller to check>"

$lookBack = <Days back to check>

$userName = "<user name being unlocked, or blank>"

Get-WinEvent -ea stop -ComputerName $dcName -FilterHashtable @{LogName='Security';Id=4767;StartTime=(Get-Date).AddDays($lookBack)} | Where-Object {$_.Properties[0].Value -like "*$userName*"} | Select-Object -Property TimeCreated, @{Label='Unlocked User';Expression={$_.Properties[0].Value}},@{Label='Unlocked By';Expression={$_.Properties[4].Value}}

I wont go into explaining all of the above, if you want more information, please post and I will try to answer.

Leave a Reply