我需要找出正在锁定我的帐户的计算机。我可以通过打开事件查看器并在安全日志中找到日志事件来在GUI中进行此操作,但这很耗时,并且由于在我们的环境中这种情况经常发生,因此我需要一个更快的解决方案。我写了这个命令:
Get-EventLog security -ComputerName DC -InstanceId 4740 | ? {$_.Message -like "MyUserName"} | FL
我也尝试了-match而不是-like,但是都没有得到任何结果。有人知道该使用哪个运算符来获取我需要的东西吗?
答案 0 :(得分:0)
就像@vonPryz一样,我通常会使用altools,但它会以DC响应,该帐户已被锁定,然后我在https://thesysadminchannel.com/get-account-lock-out-source-powershell/处遇到了下面的代码,看起来就像是工单,前提之一是以便可以查询DC上的远程事件视图访问。
下面复制的站点中的代码(如果该站点离线),应归功于SysAdmin渠道的Paul:
#requires -Module ActiveDirectory
#Import-Module ActiveDirectory -EA Stop
Function Get-AccountLockoutStatus {
<#
.Synopsis
This will iterate through all your domain controllers by default and checks for event 4740 in event viewer. To use this, you must dot source the file and call the function.
For updated help and examples refer to -Online version.
.DESCRIPTION
This will go through all domain controllers by default and check to see if there are event ID for lockouts and display the information in table with Username, Time, Computername and CallerComputer.
For updated help and examples refer to -Online version.
.NOTES
Name: Get-AccountLockoutStatus
Author: The Sysadmin Channel
Version: 1.01
DateCreated: 2017-Apr-09
DateUpdated: 2017-Apr-09
.LINK
https://thesysadminchannel.com/get-account-lock-out-source-powershell -
.PARAMETER ComputerName
By default all domain controllers are checked. If a computername is specified, it will check only that.
.PARAMETER Username
If a username is specified, it will only output events for that username.
.PARAMETER DaysFromToday
This will set the number of days to check in the event logs. Default is 3 days.
.EXAMPLE
Get-AccountLockoutStatus
Description:
Will generate a list of lockout events on all domain controllers.
.EXAMPLE
Get-AccountLockoutStatus -ComputerName DC01, DC02
Description:
Will generate a list of lockout events on DC01 and DC02.
.EXAMPLE
Get-AccountLockoutStatus -Username Username
Description:
Will generate a list of lockout events on all domain controllers and filter that specific user.
.EXAMPLE
Get-AccountLockoutStatus -DaysFromToday 2
Description:
Will generate a list of lockout events on all domain controllers going back only 2 days.
#>
[CmdletBinding()]
param(
[Parameter(
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[string[]] $ComputerName = (Get-ADDomainController -Filter * | select -ExpandProperty Name),
[Parameter()]
[string] $Username,
[Parameter()]
[int] $DaysFromToday = 3
)
BEGIN {
$Object = @()
}
PROCESS {
Foreach ($Computer in $ComputerName) {
try {
$EventID = Get-WinEvent -ComputerName $Computer -FilterHashtable @{Logname = 'Security'; ID = 4740; StartTime = (Get-Date).AddDays(-$DaysFromToday)} -EA 0
Foreach ($Event in $EventID) {
$Properties = @{Computername = $Computer
Time = $Event.TimeCreated
Username = $Event.Properties.value[0]
CallerComputer = $Event.Properties.value[1]
}
$Object += New-Object -TypeName PSObject -Property $Properties | Select ComputerName, Username, Time, CallerComputer
}
} catch {
$ErrorMessage = $Computer + " Error: " + $_.Exception.Message
} finally {
if ($Username) {
Write-Output $Object | Where-Object {$_.Username -eq $Username}
} else {
Write-Output $Object
}
$Object = $null
}
}
}
END {}
}