0

I have a account which is keep locking out but this happens night time where we are not able to take logs or grab logs. So what I like to do is write a powershell script to take these logs for me.

I'm using AL TOOLs. Within ALTools the is program called LockoutStatus with this program they is column called Orig Lock

I just like to know where this information is collected from, is it from even or from user?

I only need the Orig Lock info

Please see below screenshot

enter image description here

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
maj
  • 5
  • 1
  • 8
  • any help would be great – maj Jan 27 '15 at 12:01
  • You can use EventCombMT that comes as part of the solution which will search all your DC's for lockout events and give you the original location, time and user. All within a similar GUI to the one you get with LockoutStatus, it then creates .txt based log files for you to read through. – Samuel Nicholson Jan 29 '15 at 10:17

2 Answers2

2

The documentation for LockoutStatus defines the field like this:

Orig Lock: Displays the domain controller that locked the account (the domain controller that made the originating write to the LockoutTime attribute for that user).

You can access the attribute properties from replication metadata.

$LockedAccount=Get-ADUser [username here - no quotes needed]
$LockedObjectPath=$LockedAccount.DistinguishedName
$DomainController=([system.directoryservices.activedirectory.domain]::GetCurrentDomain()).DomainControllers[0].Name
$LockoutReplicationRecord=Get-ADReplicationAttributeMetadata -object "$LockedObjectPath" -server $DomainController | where {$_.AttributeName -eq "lockoutTime"}
Write-Host "$($LockoutReplicationRecord.LastOriginatingChangeDirectoryServerIdentity)"

Parse that line for just the server name.

I'm doing this on a 2012 domain, but I think all this code works on 2008. So far, all the test cases I tried were locked out by the server with the FSMO role, so I'm not sure if this will give the output you expect. It looks like you have a great environment to give it a try. This code just takes the first domain controller in the list, and I imagine that you will be looping through them all to get the bad password count on each one. In that case, substitute whatever variable you are already using as long as it is the name of the server in text format (doesn't have to be FQDN like it is with this code)

I can't confirm that this is the same information that LockoutStatus.exe uses, but it takes the same amount of time to run and for me, the output matched.

StackzOfZtuff
  • 1,842
  • 13
  • 21
Zach Bolinger
  • 304
  • 1
  • 6
0

Old topic, but I thought I'd add to the great post from @Zach Bolinger, in case it helps anyone else.

This will output MyUsername was locked out on MY-DC03 at 04/02/2022 09:06:24"

There may be a more appropriate way to parse LastOriginatingChangeDirectoryServerIdentity which looks something like:

CN=NTDS Settings,CN=MY-DC03,CN=Servers,CN=Core,CN=Sites,CN=Configuration,DC=MyOrg,DC=co,DC=uk

  • I chose to split it by commas (,);
  • take the second token (ID=1) which is CN=MY-DC03;
  • then split that by equals (=);
  • finally take the second token again (ID=1), which is the server name MY-DC03.
$UserToLookup = "MyUsername"
$DomainController = "MY-DC01"
$LockedAccount = Get-ADUser $UserToLookup
$LockedObjectPath = $LockedAccount.DistinguishedName
$LockoutReplicationRecord = Get-ADReplicationAttributeMetadata -object "$LockedObjectPath" -server $DomainController | where {$_.AttributeName -eq "lockoutTime"}
$LockoutServer = (((($LockoutReplicationRecord.LastOriginatingChangeDirectoryServerIdentity).split(","))[1]).split("="))[1]
$LockoutTime = $LockoutReplicationRecord.LastOriginatingChangeTime
Write-Host "$UserToLookup was locked out on $LockoutServer at $LockoutTime"
Aubs
  • 26
  • 4