There are various ways and tools to tackle this – in the end it boils down to a few facts
- account lockouts are logged per domain controller – to be more specific – only on the DC where the lockout happened
- this can be complicated in bigger environments
- the lockout event 4771 does not necessarily reveal the initial reason – but it should give you enough information about where it occurred to further investigate
The manual way via Eventlog / Eventviewer in Windows on a DC
- right click on the SECURITY eventlog
- select Filter Current Log
- go to the register card XML
- check the box Edit query manually
- Insert the XML code below – make sure you replace the USERNAMEHERE value with the actual username
- no domain
- exact username
- NOT case sensitive
1 2 3 4 5 | <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='USERNAMEHERE')]]</Select> </Query> </QueryList> |
This results in to a filtered eventlog view for the event id 4771 and the username you specified.
Using PowerShell to automate this
PowerShell can execute a script that would give you the same output – I wrote the script below. It expects at least the parameter UserName – see below for more information.
- UserName
- this parameter is mandatory – the exact username without the domain, this is NOT case sensitive
- DomainController
- specify this to narrow it down to a single DC – otherwise all domain controllers will be contacted (might take a while)
- FullDetails
- set it to $true if you want to see details – otherwise you get only the table format
- Example
- Find-AccountLockoutOnDCForUser.ps1 -FullDetails $true -UserName JDoe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | param( [string] $DomainController = "", [string] $UserName = "", [bool] $FullDetails = $false ) $Query = @" <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='$UserName')]]</Select> </Query> </QueryList> "@ If ($DomainController.Length -eq 0) { Import-Module ActiveDirectory $DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name ForEach($DC In $DomainControllers) { Write-Host "checking DC: $DC" If ($FullDetails) { Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | fl } Else { Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | ft } } } Else { If ($FullDetails) { Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | fl } Else { Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | ft } } |
