Bad password attempts are recorded on each Domain Controller separately (depending on which is being used for authentication at the time). So it’s possible for multiple domain controllers to have separate, different bad password attempt counts.
While each Domain Controller keeps the server with PDC Emulator FSMO role updated with its count (so that the account can be locked out if the maximum number is exceeded), the total is not easily tracked, so we have to query each domain controller separately for that number.
This PowerShell script (without modification) queries each domain controller and sums the number of bad password attempts. A message is then displayed for each user who has a number of bad password attempts greater than 0.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
# Import active directory modules import-module activedirectory; # Get all domain controllers $dcs = get-adcomputer -filter * -searchbase "ou=domain controllers,dc=kamal,dc=local"; # Get all users - change "-filter {enabled -eq $true}" to a username to get just one user $users = get-aduser -filter {enabled -eq $true} | sort name; # Loop through all users found foreach ($user in $users) { $badpwdcount = 0; # Loop through each domain controller foreach ($dc in $dcs) { $newuser = get-aduser $user.samaccountname -server $dc.name -properties badpwdcount; # Increment bad password count $badpwdcount = $badpwdcount + $newuser.badpwdcount; } # Highlight account if bad password count is greater than 0 if ($badpwdcount -gt 0) { $outline = "******* " + $user.name + " - Badpwdcount: " + $badpwdcount + " *******"; } else { $outline = $user.name + " - Badpwdcount: " + $badpwdcount; } write-host $outline; } |
The resulting output should look like this:
I was using a similar approach to check an individual user’s badpwdcount but I found the numbers were fudged as the property isn’t replicated across Domain Controllers 🙁
If you have an alternative approach that amalgamates the values from the different DCs I’d be in your debt.
If you echo the username inside the users for loop and then echo the dc name and badpwdcount inside the dc for loop you get the badpwdcount for each dc for each user.
# Import active directory modules
import-module activedirectory;
# Get all domain controllers
$dcs = get-adcomputer -filter * -searchbase “ou=domain controllers,dc=kamal,dc=local”;
# Get all users – change “-filter {enabled -eq $true}” to a username to get just one user
$users = get-aduser -filter {enabled -eq $true} | sort name;
# Loop through all users found
foreach ($user in $users) {
$userline = “Username: ” + $user.name;
write-host $userline;
# Loop through each domain controller
foreach ($dc in $dcs) {
$newuser = get-aduser $user.samaccountname -server $dc.name -properties badpwdcount;
$dcline = $dc.name + ” ” + $newuser.badpwdcount;
write-host $dcline;
}
}
Pingback: Troubleshoot locked out user in Active Directory – scribbleghost