A user's account keeps locking out, but you can't figure out where. This PowerShell command queries domain controller security logs to identify the source of the lockout event.

The Fix

# Replace 'username' with the actual locked-out username
# Replace 'YourDomainController' with the name of a DC (or use Get-ADDomainController)
$username = "lockeduser"
$dc = "YourDomainController"

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740} -ComputerName $dc |
Where-Object {$_.Properties[0].Value -eq $username} |
Select-Object TimeCreated, @{Name='TargetUserName'; Expression={$_.Properties[0].Value}}, @{Name='SourceComputerName'; Expression={$_.Properties[6].Value}}

Why it works

  • Event ID 4740 logs account lockout events, and property 6 usually contains the name of the computer from which the lockout originated.

Verify

# Examine the output
  • The output will list lockout events for the specified user, including the SourceComputerName (the machine attempting the bad password login).

Notes

  • Requires Remote Event Log Management firewall rule to be enabled on the DC.
  • You'll need appropriate permissions to query security logs on the Domain Controller.
  • You may need to query multiple DCs if the lockout source isn't immediately obvious.

Techworks Blog