Work-Tools/binoculars.ps1

# Binoculars provided by Zak Bearman to Datacom MBIE Platforms team.

#Get User XL Format name
$UN = Read-Host "Enter the username to search for"

# Define the username you are searching for
$username = "$UN" # Replace with the username of the locked-out user

# Get all domain controllers in the domain
$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName

# Loop through each domain controller and search for Event ID 4740
foreach ($DC in $DomainControllers) {
    Write-Host "Checking events on domain controller: $DC"
    
    # Use Invoke-Command to remotely query the domain controller using Get-EventLog
    Invoke-Command -ComputerName $DC -ScriptBlock {
        param ($username)
        
        # Query the Security event log for Event ID 4740 (Account Lockout)
        $events = Get-EventLog -LogName "Security" -InstanceId 4740 -Newest 1000 | Where-Object { $_.Message -like "*$username*" }
        
        foreach ($event in $events) {
            $timeGenerated = $event.TimeGenerated
            $message = $event.Message

            Write-Host "User was locked out: $message on this DC at $timeGenerated"
        }
    } -ArgumentList $username
}