PowerShell: Audit Failed Logins of A User

$username='rambo'

function auditLockouts($userName,$domainController,$refreshMinutes=1){
 
    function getLockouts($domainControler){
        # Requirement:
        # Domain Controllers Audit Group Policy has been enabled via these steps...
        # Browse to computer configuration > Security Settings > Advanced Audit Policy Configuration > Audit Policies >
        # Account Management > Enable success and failure for the “Audit User Account Management” policy.
        if (!(get-command get-aduser -ea silentlycontinue)){
            try{
                Import-Module ServerManager
                Add-WindowsFeature RSAT-AD-PowerShell
                }catch{
                    install-module activedirectory
                    }
            }
 
        if(!$domainControler){$domainControler=(Get-ADDomain).PDCEmulator}
        $dataTimeStamp=get-date
        $lockoutEvents=Get-WinEvent -ComputerName $domainControler -FilterHashtable @{
            LogName = 'Security'
            ID = 4740
            }
        return @($lockoutEvents,$dataTimeStamp)
    }
 
    $principle=Get-ADUser $userName -ea SilentlyContinue    
    if($principle){
        $samAccountName=$principle.SamAccountName
        $firstName=$principle.GivenName
        $lastName=$principle.Surname
        write-host "$username is matched $firstName $lastName "
        $refreshLockoutData=.{if($lockOutDataTimeStamp){(get-date).AddMinutes(-$refreshMinutes) -lt $lockOutDataTimeStamp}else{$true}}
        if (!$lockOuts -or $refreshLockoutData){
            write-host "Scanning $domainController for lockout records... Please wait awhile."
            $lockoutData=getLockouts $domainController
            $GLOBAL:lockOuts=$lockoutData[0]
            $GLOBAL:lockOutDataTimeStamp=$lockoutData[1]
            }
        $thisPersonLockouts=$lockouts|?{$_.Properties[0].Value -eq $samAccountName}
        $results=foreach ($lockout in $thisPersonLockouts){
                    [pscustomobject]@{
                        UserName = $lockout.Properties[0].Value
                        SourceComputer = $lockout.Properties[1].Value
                        TimeStamp = $lockout.TimeCreated
                    }}
        if($results){
            return $results
            }else{
                write-host "No lockout events matched $userName."
                return $null
                }
    }else{
        write-warning "$userName is invalid"
        return $null
        }
}
 
auditLockouts $username
# Sample Output
#PS C:\Windows\system32> auditLockouts rambo       
#rambo        is matched rambo 1982
#
#UserName     SourceComputer TimeStamp
#--------     -------------- ---------
#rambo        JUNGLE01       02/29/1982 5:11:50 PM
#rambo        JUNGLE01       02/29/1982 4:57:07 PM
#rambo        JUNGLE01       02/29/1982 4:46:51 PM
#rambo        JUNGLE01       02/29/1982 4:43:46 PM
#rambo        JUNGLE01       02/29/1982 4:34:05 PM
#rambo        JUNGLE01       02/29/1982 4:29:35 PM
#rambo        JUNGLE01       02/29/1982 4:28:30 PM
#rambo        JUNGLE01       02/29/1982 4:28:09 PM
#rambo        JUNGLE01       02/29/1982 4:26:24 PM
#rambo        JUNGLE01       02/29/1982 4:24:44 PM
#rambo        JUNGLE01       02/29/1982 4:24:14 PM
#rambo        JUNGLE01       02/29/1982 4:13:58 PM
#rambo        JUNGLE01       02/29/1982 4:06:27 PM
#rambo        JUNGLE01       02/29/1982 4:01:07 PM
#rambo        JUNGLE01       02/29/1982 3:50:51 PM
#rambo        JUNGLE01       02/29/1982 3:40:35 PM
#rambo        JUNGLE01       02/29/1982 3:30:19 PM
#rambo        JUNGLE01       02/29/1982 3:20:03 PM
#rambo        JUNGLE01       02/29/1982 3:09:48 PM
#rambo        JUNGLE01       02/29/1982 2:59:32 PM
#rambo        JUNGLE01       02/29/1982 2:49:16 PM

Leave a Reply

Your email address will not be published. Required fields are marked *