$username='rambo'
function auditLockouts($userName,$domainController,$refreshMinutes=1){
function getLockouts($domainControler){
# Requirement:
# Domain Controllers Audit Group Policy has been enabled via these steps...
# Browse to computer configuration > Security Settings > Advanced Audit Policy Configuration > Audit Policies >
# Account Management > Enable success and failure for the “Audit User Account Management” policy.
if (!(get-command get-aduser -ea silentlycontinue)){
try{
Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
}catch{
install-module activedirectory
}
}
if(!$domainControler){$domainControler=(Get-ADDomain).PDCEmulator}
$dataTimeStamp=get-date
$lockoutEvents=Get-WinEvent -ComputerName $domainControler -FilterHashtable @{
LogName = 'Security'
ID = 4740
}
return @($lockoutEvents,$dataTimeStamp)
}
$principle=Get-ADUser $userName -ea SilentlyContinue
if($principle){
$samAccountName=$principle.SamAccountName
$firstName=$principle.GivenName
$lastName=$principle.Surname
write-host "$username is matched $firstName $lastName "
$refreshLockoutData=.{if($lockOutDataTimeStamp){(get-date).AddMinutes(-$refreshMinutes) -lt $lockOutDataTimeStamp}else{$true}}
if (!$lockOuts -or $refreshLockoutData){
write-host "Scanning $domainController for lockout records... Please wait awhile."
$lockoutData=getLockouts $domainController
$GLOBAL:lockOuts=$lockoutData[0]
$GLOBAL:lockOutDataTimeStamp=$lockoutData[1]
}
$thisPersonLockouts=$lockouts|?{$_.Properties[0].Value -eq $samAccountName}
$results=foreach ($lockout in $thisPersonLockouts){
[pscustomobject]@{
UserName = $lockout.Properties[0].Value
SourceComputer = $lockout.Properties[1].Value
TimeStamp = $lockout.TimeCreated
}}
if($results){
return $results
}else{
write-host "No lockout events matched $userName."
return $null
}
}else{
write-warning "$userName is invalid"
return $null
}
}
auditLockouts $username
# Sample Output
#PS C:\Windows\system32> auditLockouts rambo
#rambo is matched rambo 1982
#
#UserName SourceComputer TimeStamp
#-------- -------------- ---------
#rambo JUNGLE01 02/29/1982 5:11:50 PM
#rambo JUNGLE01 02/29/1982 4:57:07 PM
#rambo JUNGLE01 02/29/1982 4:46:51 PM
#rambo JUNGLE01 02/29/1982 4:43:46 PM
#rambo JUNGLE01 02/29/1982 4:34:05 PM
#rambo JUNGLE01 02/29/1982 4:29:35 PM
#rambo JUNGLE01 02/29/1982 4:28:30 PM
#rambo JUNGLE01 02/29/1982 4:28:09 PM
#rambo JUNGLE01 02/29/1982 4:26:24 PM
#rambo JUNGLE01 02/29/1982 4:24:44 PM
#rambo JUNGLE01 02/29/1982 4:24:14 PM
#rambo JUNGLE01 02/29/1982 4:13:58 PM
#rambo JUNGLE01 02/29/1982 4:06:27 PM
#rambo JUNGLE01 02/29/1982 4:01:07 PM
#rambo JUNGLE01 02/29/1982 3:50:51 PM
#rambo JUNGLE01 02/29/1982 3:40:35 PM
#rambo JUNGLE01 02/29/1982 3:30:19 PM
#rambo JUNGLE01 02/29/1982 3:20:03 PM
#rambo JUNGLE01 02/29/1982 3:09:48 PM
#rambo JUNGLE01 02/29/1982 2:59:32 PM
#rambo JUNGLE01 02/29/1982 2:49:16 PM