## Created by Zak Bearman - Intel - Datacom - For use on any domain that WinRM is enabled and supported for remote log searching## cls # Define the username you are searching for $username = read-host "Please enter users account" # Replace with the username of the locked-out user # Get the PDC Emulator $pdcemulator = (Get-ADDomain).PDCEmulator $DomainControllers = Get-ADDomainController $pdcemulator | Select-Object -ExpandProperty HostName # Define log file path $logFile = "C:\Temp\AccountLockoutLog.txt" # Create the log file if it doesn't exist if (-not (Test-Path $logFile)) { New-Item -Path $logFile -ItemType File -Force } # Loop indefinitely every 5 minutes while ($true) { foreach ($DC in $DomainControllers) { Write-Host "Searching on: $DC" Add-Content -Path $logFile -Value "Searching on: $DC - $(Get-Date)" # Use Invoke-Command to remotely query the domain controller Invoke-Command -ComputerName $DC -ScriptBlock { param ($username) # Query the Security event log for Event ID 4625 (Failed Login Attempt) $events4625 = Get-EventLog -LogName "Security" -InstanceId 4625 -Newest 1000 | Where-Object { $_.Message -like "*$username*" } foreach ($event in $events4625) { $timeGenerated = $event.TimeGenerated $message = $event.Message Write-Host "Failed login attempt: $message at $timeGenerated" Add-Content -Path $using:logFile -Value "Failed login attempt: $message at $timeGenerated" } # Query the Security event log for Event ID 4740 (Account Lockout) $events4740 = Get-EventLog -LogName "Security" -InstanceId 4740 -Newest 1000 | Where-Object { $_.Message -like "*$username*" } foreach ($event in $events4740) { $timeGenerated = $event.TimeGenerated $message = $event.Message Write-Host "Account locked out: $message at $timeGenerated" Add-Content -Path $using:logFile -Value "Account locked out: $message at $timeGenerated" } } -ArgumentList $username } # Wait for 10 seconds (10 seconds) Start-Sleep -Seconds 10 }