Add binoculars.ps1

Script allows you to find where the users account was locked out from allowing you to unlock the users account and let them check the server
2025-09-24 00:27:31 +00:00
parent b6395ee050
commit c1f5bae1b6
1 changed files with 30 additions and 0 deletions
--- a/binoculars.ps1
+++ b/binoculars.ps1
@@ -0,0 +1,30 @@
+# Binoculars provided by Zak Bearman to Datacom MBIE Platforms team.
+
+#Get User XL Format name
+$UN = Read-Host "Enter the username to search for"
+
+# Define the username you are searching for
+$username = "$UN" # Replace with the username of the locked-out user
+
+# Get all domain controllers in the domain
+$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName
+
+# Loop through each domain controller and search for Event ID 4740
+foreach ($DC in $DomainControllers) {
+    Write-Host "Checking events on domain controller: $DC"
+    
+    # Use Invoke-Command to remotely query the domain controller using Get-EventLog
+    Invoke-Command -ComputerName $DC -ScriptBlock {
+        param ($username)
+        
+        # Query the Security event log for Event ID 4740 (Account Lockout)
+        $events = Get-EventLog -LogName "Security" -InstanceId 4740 -Newest 1000 | Where-Object { $_.Message -like "*$username*" }
+        
+        foreach ($event in $events) {
+            $timeGenerated = $event.TimeGenerated
+            $message = $event.Message
+
+            Write-Host "User was locked out: $message on this DC at $timeGenerated"
+        }
+    } -ArgumentList $username
+}