Check Domain Controllers for Failed logins

Occasionally, you may have a user whose account is constantly getting locked out. In order to do this, it is necessary to “follow the breadcrumbs” starting with looking on the DCs to see where the authentication request came from. This can be a pain if you have several DCs, so I wrote a little script to help with this:

$DomainControllers = Get-ADDomainController -Filter *
$username = "some.user"
Foreach($DC in $DomainControllers)

 {
try{
    write-host checking on $DC -ForegroundColor Green
    $result = Get-ADUser -Identity $username -Server $DC.Hostname -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut -ErrorAction silentlycontinue
    }
    catch{
        write-host an error occured talking to $DC.Hostname
    }
if ($result.BadPwdCount -ge 1)
    {
        write-host Last Bad attemt was on $result.LastBadPasswordAttempt and the count is $result.BadPwdCount on server $DC.Hostname -ForegroundColor Cyan
    }


}

just change “some.user” to the user you are interested in, and the script will interrogate every DC in the domain and return the time, date, and DC of any failed logins. You should then be able to easily find this in eventviewer and see the source of the lockout.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.