One problem we run into from time to time is when a user's account keeps getting locked out without any obvious reason (They're not typing in the password wrong - though this is probably the number 1 cause). Usually this is the result of some saved credentials somewhere that are no longer valid; They've expired, or there was a password change, or something. However, if the user logs into multiple machines, or has network resources mapped to a personal device, it can be really hard to tell where the bad login attempts are coming from.
So I wrote a neat little powershell function to help out with this. Bad log on attempts are logged in the domain controllers security logs. However, for various reasons, they can be really hard to find (reasons include username not being in the username field, and domain controller security logs having about a billion events at any given time). This powershell function does a little WMI call to each domain controller you specify and looks for these events so you don't have to.
It's a little messy and slow, but can save a great amount of time whenever these events come up.
I've put in some Get-Help features to which explains how to use it. After you import it run "Get-Help Get-WhyIsThisAccountLocked". Or alternatively just read the first 30 lines or so of the code.
The code:
function Get-WhyIsThisAccountLocked
{
<#
.SYNOPSIS
Querys Domain Conrollers for specific log events looking for failed kerberos authentication.
.Description
Method can be used to discover where a specific account is being locked out from. This will return a list of log events related to failed authentications which you can use to further troubleshoot. Because of how these events are formated, it is difficult to select specific information out of them - So this returns the whole event. The important fields to look for are
AccountName: (verify it returned the correct user - for various reasons it only does a 'like' comparision here)
Client Address: (Where the bad requests are coming from - note you will probably see some coming from the domain controller(s) - unless the user is acutally tying to log into/acess the domain controller, you can ignore these.)
Failure Code: (Tells you more about what sort of authentication was being attempted - google "kerberos autentication failure code")
Service Name: (Can tell you what service was trying to use the account - krbtgt/domain is typically standard login attempt, if it's something else, google it)
.PARAMETER UserID
UserID that is being locked out
.PARAMETER DomainController
Domain controller(s) to query for event logs. This may be either a single hostname/IP or a comma seperated list.
.PARAMETER HoursBack
Number of hours back to search, default is 1. Using large search periods can exponentially slow down the script.
.PARAMETER OutFile
File path to output text to - default is to output to command window
.PARAMETER YesIAmSure
If OutFile is specified, does not ask to confirm file write/overwrite. Otherwise does nothing.
.Example
Get-WhyIsThisAccountLocked -UserID myuser -DomainController "mydomain1,mydomain2" -HoursBack 2 -OutFile c:\temp\output.txt -YesIAmSure
.Notes
Author: Keith Ballou
Date: Feb 28, 2014
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)][string]$UserID,
[parameter(Mandatory=$true)][string]$DomainController,
[Parameter(Mandatory=$false)][int]$HoursBack=1,
[Parameter(Mandatory=$false)][string]$Outfile,
[Parameter(Mandatory=$false)][switch]$YesIAmSure
)
$ListofEvents=""
$SearchTime=(get-date).addhours(-$HoursBack).touniversaltime().tostring("yyyyMMddHHmmss.000000-000")
Write-Verbose "Searching between $SearchTime and Current Time"
$ListofDCs=$DomainController.split(',')
if ($HoursBack -gt 1)
{
write-host "WARNING: Using Larger Serach periods can cause this script to take a very long time" -ForegroundColor "Magenta" -BackgroundColor "Black"
}
foreach ($DC in $ListofDCs)
{
write-host "Querying... " $DC
$Temp=Get-WmiObject -ComputerName $DC -Query "Select * from win32_ntlogevent Where LogFile='Security' AND (Eventcode='4771' OR Eventcode='4769') And Message Like '%$UserID%' AND timegenerated > '$SearchTime'"
foreach($Entry in $Temp)
{
Write-Verbose "Processing Entry"
$ListofEvents+="-------------------------------------------------------------------`n"
$ListofEvents+=$Entry.ComputerName + "`n"
$ListofEvents+=$Entry.Message + "`n"
}
}
if($OutFile -ne "")
{
write-host "`n`nWarning: About to write to $OutFile - This will overwrite any existing data" -ForegroundColor "Magenta" -BackgroundColor "Black"
if($YesIAmSure)
{
out-file -InputObject $ListofEvents -FilePath $OutFile
}
else {
{
out-file -InputObject $ListofEvents -FilePath $OutFile -Confirm
}
}
}
else {
write-host $ListofEvents
}
}
No comments:
Post a Comment