Welcome to TechkenLite

Hello

Maybe Later Button

Hello World

I have a requirement to look for locked out accounts from the security logs of a domain controller.

I researched the web for different ways to do it.

I created this small PowerShell script to run from an Admin tool server.

It may not be elegant but it works for me.

It is a two part script with functions.

 

$date = get-date

write-host "Enter a number to tell the script how many days in the past you want to review Security Log" -ForegroundColor Cyan -BackgroundColor Black

write-host "Enter Days Back" -ForegroundColor Yellow -NoNewline

$daysback = read-host

$logdate = (get-date).AddDays(-$daysback) #Will take input from variable

#Select the DC or DCs for this for this locked out account review

$getdc = (get-AdForest).Domains | %{Get-addomainController - Filter -Server $_} | Select -ExpandProperty name |

ogv -Title "Get DCs from the forest and list. Select the ones you want to review the security logs " -PassThru

 

# This Function Reviews the domain controller security logs based on how many days you want to go back

Function ReviewSecLog {

$log = "Security"

foreach ($dc in $getdc){

Try {

Write-host "Reviewing Server $dc" -ForegroundColor Green -NoNewline

Get-WinEvent -ComputerName $dc -FilterHashtable @{Logname = "$log"; StartTime = $logdate; ID = 4740} | sort TimeCreated,ID,Message -wrap

}

 

Catch {

Write-host "No Event ID 4740 of this type from $dc" -ForegroundColor Yellow -BackgroundColor Black

}

}

}

 

# If you have an Archive of your security logs for Security and SIEM reasons then this function will review each archive log selected

Function ReviewArchLog{

$archlog = Get-ChildItem -Path \\$getdc\<path to your archivelog.evtx or evt -Recurse | ogv -Title " Select an Archive Log from $getdc" -passthru

foreach ($arch in $archlog){

Write-host "Reviewing Archve log $getdc $arch" -ForegroundColor Cyan -BackgroundColor Black

#Parsing for Event ID 4740

Try{

Get-winevent -Path $arch | where ID -eq '4740' | format-table TimeCreated,ID, Message -Wrap

}

 

Catch {

Write-Host "Reviewed Archive Security Log and no Event ID 4740 on $arch $getdc" -ForegroundColor Yellow -BackgroundColor Black

}

}

}

 

Do {CLS

Write-Host "Type 'D' or 'd' to review DC Security Log. Type 'T' or 't' to review the archive log"

$input = Read-Host -Prompt "Type 'D' or 'd' to review DC security Log. Type 'T' or 't' to review Archive log"

 

}

 

Until ($input -eq "D" -or $input -eq "T" -or $input -eq "D" -or $input -eq "t")

 

Switch ($input) {

D{ReviewSecLog}

d{ReviewSecLog}

T{ReviewArchLog}

t{ReviewArchLog}

}

 

 

 

 

 

Joomla templates by a4joomla