From c1f5bae1b61eace5eb832310f1b1eec9120588b7 Mon Sep 17 00:00:00 2001
From: Rephl3x <zak.bearman@amslabs.net>
Date: Wed, 24 Sep 2025 00:27:31 +0000
Subject: [PATCH] Add binoculars.ps1

Script allows you to find where the users account was locked out from allowing you to unlock the users account and let them check the server
---
 binoculars.ps1 | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 binoculars.ps1

diff --git a/binoculars.ps1 b/binoculars.ps1
new file mode 100644
index 0000000..29c41f7
--- /dev/null
+++ b/binoculars.ps1
@@ -0,0 +1,30 @@
+# Binoculars provided by Zak Bearman to Datacom MBIE Platforms team.
+
+#Get User XL Format name
+$UN = Read-Host "Enter the username to search for"
+
+# Define the username you are searching for
+$username = "$UN" # Replace with the username of the locked-out user
+
+# Get all domain controllers in the domain
+$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName
+
+# Loop through each domain controller and search for Event ID 4740
+foreach ($DC in $DomainControllers) {
+    Write-Host "Checking events on domain controller: $DC"
+    
+    # Use Invoke-Command to remotely query the domain controller using Get-EventLog
+    Invoke-Command -ComputerName $DC -ScriptBlock {
+        param ($username)
+        
+        # Query the Security event log for Event ID 4740 (Account Lockout)
+        $events = Get-EventLog -LogName "Security" -InstanceId 4740 -Newest 1000 | Where-Object { $_.Message -like "*$username*" }
+        
+        foreach ($event in $events) {
+            $timeGenerated = $event.TimeGenerated
+            $message = $event.Message
+
+            Write-Host "User was locked out: $message on this DC at $timeGenerated"
+        }
+    } -ArgumentList $username
+}
\ No newline at end of file