# 4771 bad password in DC log
# 4740 lockout in DC log
# <Select Path="Security">*[System[(EventID=4740 or EventID=4771)]]</Select>
[xml]$XMLFilter = @"
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4740)]]</Select>
</Query>
</QueryList>
"@
$AllDomainControllers = Get-ADDomainController -Filter *
$AllEvents = @()
foreach($DC in $AllDomainControllers){
$Events = @()
$Events += Get-WinEvent -FilterXml $XMLFilter -ComputerName $DC.HostName -ErrorAction SilentlyContinue
$AllEvents += $Events
$DC.HostName + ' ' + $Events.Length
}
foreach($Event in $AllEvents){
$EventXMLData = [xml]$Event.ToXml()
for($i=0; $i -lt $EventXMLData.Event.EventData.Data.Count; $i++){
$Name = $EventXMLData.Event.EventData.Data[$i].Name
$Value = $EventXMLData.Event.EventData.Data[$i].'#text'
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $Name -Value $Value
}
}
$AllEvents |
Select-Object TargetUsername, MachineName, TimeCreated,IpAddress, ID |
Format-Table
No comments:
Post a Comment