One of my colleagues has recently been on to me a few times about his account been locked out. I decided to do some research into the account lockout. I decided to put together a PowerShell script to check the Security event log of the domain controllers in the domain. I decided that rather than checking the whole Security event log I would only check for the previous 6 hours.
Research :
The first thing while started the research I came across was this link, this about using the Search-ADAccount cmdlet to find locked out accounts.
When an account is locked out it generates an event 4740 in the Security event log, I found in the comments of the article the lines of PowerShell that I based the script off.
A PowerShell tip of the week on how to use the Get-Date cmdlet to manipulate times. The information in the article helped me figure out how to work out
Script :
$StartTime = (get-date).AddHours(-6)
$logName = “Security”
$dcList = “dc1″,”dc2″,”dc3”
$eventID = “4740”
foreach ($dcname in $dcList)
{
$Start_Time = get-date
write-host ” “
write-host “Starting to check logs on $dcname at $Start_Time”
write-host ” “
Get-EventLog -LogName $logName -ComputerName $dcName -after $StartTime | where {$_.eventID -eq $eventID} | format-list -Property timegenerated, replacementstrings, message
$Finish_Time = get-date
write-host ” “
write-host “Finished checking logs on $dcname at $Finish_Time”
write-host ” “
}
Issues :
So when the script runs it is pretty slow, after doing some research it appears that when using –After in the Get-EventLog cmdlet the whole event log is read in before any of the filtering is done. So if the event log is large or over a slow link it is really going to be slow.
One suggestion for improving the performance is to use the –Newest option.
Another way to improve performance might be to use PowerShell Remoting but again if you have to read in the whole event log you are effected by the size of your event logs.