Posted On January 6, 2020

PowerShell: Search for Failed Logins on Primary Domain Controller

kimconnect 0 comments
blog.KimConnect.com >> Codes >> PowerShell: Search for Failed Logins on Primary Domain Controller
January 6, 2020January 6, 2020 kimconnectkimconnect 0 Comments 
# Quick Script to search for failed logins

$daysLimit=7
$userName="Bruce"
$todaysDate= Get-date
$pdc = (Get-ADDomain).PDCEmulator
 #$allDCs = ((Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ }).Name

function getFailedLoginEvents{
    param(
        $dc,
        $dayslimit,
        $searchString
        )

    # Sanitize input
    if($searchString[0] -ne "*"){$searchString="*"+$searchString}
    if($searchString[$searchString.Length] -ne "*"){$searchString+="*"}

    $results = Get-Eventlog security -Computer $pdc -InstanceId 4625 -After $todaysDate.AddDays(-$daysLimit) | `
        Select TimeGenerated,ReplacementStrings|%{
            if($_.ReplacementStrings[5] -like $searchString){
                New-Object PSObject -Property @{ 
                    Source_Computer = $_.ReplacementStrings[13] 
                    UserName = $_.ReplacementStrings[5] 
                    IP_Address = $_.ReplacementStrings[19] 
                    Date = $_.TimeGenerated 
                    } 
                }
            }
    write-host $results;

    if ($results){
        return "$($results|ft -autosize|Out-String)";
        }else{
            return "$searchString not found.";
            }
}

getFailedLoginEvents -dc $pdc -dayslimit $daysLimit -searchString $userName

Sample Result:

UserName     Source_Computer IP_Address  Date
--------     --------------- ----------  ----
Bruce.Leeeee DomainC-007     192.1.1.500 1/6/2020 1:03:33 AM
Bruce.Leeeee DomainC-007     192.1.1.500 1/6/2020 1:03:30 AM
Bruce.Leeeee DomainC-007     192.1.1.500 1/6/2020 1:01:24 AM
Bruce.Leeeee DomainC-007     192.1.1.500 1/6/2020 1:01:21 AM
Bruce.Leeeee DomainC-007     192.1.1.500 1/6/2020 1:00:10 AM
Categories:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Read More

Using Python to Automate Video Playing on Ubuntu

This little snippet was generated using ChatGPT with more than a little bit of prompting…
Post Image

Read More

PowerShell: Enable Remote Desktop

$computernames=@' SERVER1 SERVER2 '@ $computers=@($computernames -split "`n" -replace "\..*$") function enableRemoteDesktop{ $regHiveTs='HKLM:\System\CurrentControlSet\Control\Terminal Server' $regKeyTs='fDenyTSConnections' $enable=0…
Post Image

Read More

PowerShell: Moving Virtual Machines & Expanding Disk Volumes in Hyper-V & Microsoft Failover Clusters

Sample VM Migation Plan (time window = 3 hours): Pre-emptively resolve disks merging errors prior…