Le script doit être lancé depuis un poste avec les modules powershell Active directory.
Le compte qui exécute ce script doit avoir les droits sur les journaux des contrôleurs de domaine.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
$elapsedTime = [system.diagnostics.stopwatch]::StartNew() $cred = Get-Credential $Accountdomain = read-host "Enter account name with domain name Domain\Account" $domain = ($Accountdomain.Split("\\"))[0] $account =($Accountdomain.Split("\\"))[1] if ($domain -eq $null -or ($account -eq $null)) { Write-Host "Account has not been type correctly . Please retry with format DOMAIN\ACCOUNT" exit } $pdc = (Get-ADDomain -Server $domain | Select-Object PDCEmulator).pdcemulator $LastBadPasswordDate = (Get-ADUser $Account -Server $pdc -Properties LastBadPasswordAttempt ).LastBadPasswordAttempt if ($LastBadPasswordDate -eq "$null") { Write-Host "Account " $account " has not found in domain "$domain exit } $LastBadPasswordAttemptBefore = $LastBadPasswordDate.AddHours(1) $LastBadPasswordAttemptAfter=$LastBadPasswordDate.AddHours(-1) $events = Get-WinEvent -FilterHashtable @{LogName="Security";ID=4740;StartTime=$LastBadPasswordAttemptAfter;EndTime=$LastBadPasswordAttemptBefore} -ComputerName $pdc -Credential $cred $result =$null $result=@() foreach ($event in $events) { if ($event.message -match "$Account") { 47 $eventfound = $event.message -split "`n" $accountfound = $eventfound | Select-String -Pattern "Caller Computer Name" $resultaccount =($accountfound.line -split " ")[2] $result += "Locked from Computer : "+$resultaccount+ " at "+$event.TimeCreated +"`n" } } Write-Host $result $elapsedTime.stop() write-host $([string]::Format("Time Elapsed: {0:d2}:{1:d2}:{2:d2}", $elapsedTime.Elapsed.hours, $elapsedTime.Elapsed.minutes, $elapsedTime.Elapsed.seconds)) |