Identify where user is being locked out from.

2025-09-24 00:49:24 +00:00
parent 75df61b19c
commit 0d83dd3ef2
1 changed files with 47 additions and 26 deletions
--- a/Binoculars.ps1
+++ b/Binoculars.ps1
@@ -1,30 +1,51 @@
-# Binoculars provided by Zak Bearman to Datacom MBIE Platforms team.
-
-#Get User XL Format name
-$UN = Read-Host "Enter the username to search for"
-
+## Created by Zak Bearman - Intel - Datacom - For use on any domain that WinRM is enabled and supported for remote log searching##
+cls
 # Define the username you are searching for
-$username = "$UN" # Replace with the username of the locked-out user
+$username = read-host "Please enter users XL Account or Non XL account" # Replace with the username of the locked-out user
+# Get the PDC Emulator
+$pdcemulator = (Get-ADDomain).PDCEmulator
+$DomainControllers = Get-ADDomainController $pdcemulator | Select-Object -ExpandProperty HostName

-# Get all domain controllers in the domain
-$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName
+# Define log file path
+$logFile = "C:\Temp\AccountLockoutLog.txt"

-# Loop through each domain controller and search for Event ID 4740
-foreach ($DC in $DomainControllers) {
-    Write-Host "Checking events on domain controller: $DC"
-    
-    # Use Invoke-Command to remotely query the domain controller using Get-EventLog
-    Invoke-Command -ComputerName $DC -ScriptBlock {
-        param ($username)
-        
-        # Query the Security event log for Event ID 4740 (Account Lockout)
-        $events = Get-EventLog -LogName "Security" -InstanceId 4740 -Newest 1000 | Where-Object { $_.Message -like "*$username*" }
-        
-        foreach ($event in $events) {
-            $timeGenerated = $event.TimeGenerated
-            $message = $event.Message
-
-            Write-Host "User was locked out: $message on this DC at $timeGenerated"
-        }
-    } -ArgumentList $username
+# Create the log file if it doesn't exist
+if (-not (Test-Path $logFile)) {
+    New-Item -Path $logFile -ItemType File -Force
+}
+
+# Loop indefinitely every 5 minutes
+while ($true) {
+    foreach ($DC in $DomainControllers) {
+        Write-Host "Searching on: $DC"
+        Add-Content -Path $logFile -Value "Searching on: $DC - $(Get-Date)"
+
+        # Use Invoke-Command to remotely query the domain controller
+        Invoke-Command -ComputerName $DC -ScriptBlock {
+            param ($username)
+
+            # Query the Security event log for Event ID 4625 (Failed Login Attempt)
+            $events4625 = Get-EventLog -LogName "Security" -InstanceId 4625 -Newest 1000 | Where-Object { $_.Message -like "*$username*" }
+            foreach ($event in $events4625) {
+                $timeGenerated = $event.TimeGenerated
+                $message = $event.Message
+
+                Write-Host "Failed login attempt: $message at $timeGenerated"
+                Add-Content -Path $using:logFile -Value "Failed login attempt: $message at $timeGenerated"
+            }
+
+            # Query the Security event log for Event ID 4740 (Account Lockout)
+            $events4740 = Get-EventLog -LogName "Security" -InstanceId 4740 -Newest 1000 | Where-Object { $_.Message -like "*$username*" }
+            foreach ($event in $events4740) {
+                $timeGenerated = $event.TimeGenerated
+                $message = $event.Message
+
+                Write-Host "Account locked out: $message at $timeGenerated"
+                Add-Content -Path $using:logFile -Value "Account locked out: $message at $timeGenerated"
+            }
+        } -ArgumentList $username
+    }
+
+    # Wait for 10 seconds (10 seconds)
+    Start-Sleep -Seconds 10
 }