Find Lockout Events

Use PowerShell to Find Lockout Events

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740} | Select-Object TimeCreated, @{Name="User";Expression={$_.Properties[0].Value}}, @{Name="Source";Expression={$_.Properties[1].Value}}

Find Lockout Source (Caller Computer Name)

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740} | Where-Object {$_.Properties[0].Value -match "username"} | Select-Object TimeCreated, @{Name="User";Expression={$_.Properties[0].Value}}, @{Name="Source";Expression={$_.Properties[1].Value}}

Check for Bad Password Attempts (Wrong Password Source)

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | Where-Object {$_.Properties[5].Value -match "username"} | Select-Object TimeCreated, @{Name="Failure Reason";Expression={$_.Properties[8].Value}}, @{Name="Source";Expression={$_.Properties[18].Value}}

Find locked-out users:

Search-ADAccount -LockedOut

Find which DC processed the lockout:

Get-ADUser username -Properties lastlogon

Find the source (machine) of the lockout:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740}

Check for bad password attempts

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625}