How come my account locked up again?

We recently had a user who changed their network password but his account kept getting locked out.  We have a manual and tedious method of finding where the lockout is occurring.  I took it upon myself to find a way find the lock out location using Powershell.  Here are two scripts I found to help us find the location:

Get-LockedOutUser
#Requires -Version 3.0






<#

.SYNOPSIS

Get-LockedOutUser.ps1 returns a list of users who were locked out in Active Directory.

.DESCRIPTION

Get-LockedOutUser.ps1 is an advanced script that returns a list of users who were locked out in Active Directory

by querying the event logs on the PDC emulator in the domain.

.PARAMETER UserName

The userid of the specific user you are looking for lockouts for. The default is all locked out users.

.PARAMETER StartTime

The datetime to start searching from. The default is all datetimes that exist in the event logs.

.EXAMPLE

Get-LockedOutUser.ps1

.EXAMPLE

Get-LockedOutUser.ps1 -UserName 'mikefrobbins'

.EXAMPLE

Get-LockedOutUser.ps1 -StartTime (Get-Date).AddDays(-1)

.EXAMPLE

Get-LockedOutUser.ps1 -UserName 'mikefrobbins' -StartTime (Get-Date).AddDays(-1)

#>
 
 [CmdletBinding()]

param (

[ValidateNotNullOrEmpty()]

[string]$DomainName = $env:USERDOMAIN,

[ValidateNotNullOrEmpty()]

[string]$UserName = "*",

[ValidateNotNullOrEmpty()]

[datetime]$StartTime = (Get-Date).AddDays(-3)



)
 Invoke-Command -ComputerName (

[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain((

New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $DomainName))

).PdcRoleOwner.name



) {
  Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=$Using:StartTime} |

Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |

Select-Object -Property TimeCreated,

@{Label='UserName';Expression={$_.Properties[0].Value}},

@{Label='ClientName';Expression={$_.Properties[1].Value}}

} -Credential (Get-Credential) |

Select-Object -Property TimeCreated, UserName, ClientName

This script will require administrative credentials.  Here is the output from the script:

The UserName is the account that is locked out.  The ClientName is the server that has locked out the account.

Get-LockedOutInfo
## Define the username that's locked out

$username = '<user name>' # put in user name




## Find the domain controller PDCe role
  $Pdce = (Get-ADDomain).PDCEmulator




## Build the parameters to pass to Get-WinEvent
  $GweParams = @{

‘Computername’ = $Pdce

‘LogName’ = ‘Security’

‘FilterXPath’ = "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$Username']]"



}

　
 ## Query the security event log
  $Events = Get-WinEvent @GweParams

$Events[0].Properties[0].Value

$Events[0].Properties[1].Value



This script will look for lock out information for a specific user.  The line $Events[0].Properties[0].Value gives the user name.  $Events[0].Properties[1].Value gives the server that has locked out the account.

I would like to take full credit for the code but, as you know, scripters borrow code from others.  I appreciate the people who have created the code and I hopefully will be able to have my code used by others.

I hope you find these scripts helpful.