AD Lockout Source (filtered by user account)

Hello all,

I’m curious to see what I’m missing and why the script has started to error out about a month or so ago.

This script looks up the AD user accounts that are locked out and outputs it so that we can easily see the lockout source and has the option to search based on an AD username; however, this part is what is failing currently.

The script itself is here:

param (
  [Parameter(ValueFromPipeline=$true,Position=0)]$Identity=$null
)

#Look for ID 4740 in the ForwardedEvents Log on DC
$filter = @{ID=4740;LogName="ForwardedEvents"}
If($Identity) { $Filter += @{data=$Identity} }
Get-WinEvent -ComputerName DC -FilterHashTable $Filter -ErrorAction SilentlyContinue | 
  Select TimeCreated,@{Name="LockoutSource";Expression={$_.Properties[1].Value}},@{Name="User";Expression={$_.Properties[0].Value}},@{Name="Server";Expression={$_.Properties[4].Value}} 

In this instance, we have two AD domains and when I run the script by itself in, let’s say, DomainA, it works fine and shows all AD accounts that are locked out. However, if I run the script with one of those locked out AD accounts, it fails and has the error of “get-winevent: the data is invalid”.

However, if I run the script for/in the other domain (DomainB), everything works fine (even the AD user search/filter).

We even tried to filter in the Event Viewer GUI itself with this code below:

<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">
*[EventData[Data[@Name='TargetUserName'] and (Data='usernamehere')]]
and
*[System[(EventID='4740')]]
</Select>
</Query>
</QueryList>

In DomainA, it doesn’t work and says “data is invalid (13)” but in DomainB, it works just fine.

Both DCs in both domains are at the same [Windows] patch level and have the same PS version.

Thoughts?

Have you validated the Subscriptions for the “Forwarded Events” on the failing domain?

A co-worker and I did check and verified that there were new events in the Forwarded Events log, so that appears to be working properly.

It’s strange that even with the manual XML query filter within the Event Viewer, it works as long as we don’t try to filter based on AD account.

Should we remove the Forwarded Events/subscriptions in the failing domain (then wait a bit (?)), then re-add/create the subscription? Would that help anything you think?

How about something like this:

<QueryList>
  <Query Id="0" Path="ForwardedEvents">
    <Select Path="ForwardedEvents">
	(Event[System[EventID=4740]]) and Event[EventData[Data[@Name='TargetUserName'] = 'usernamehere']]
</Select>
  </Query>
</QueryList>

Unfortunately I received the same error:

“Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. The data is invalid (13).”

If I take out the and Event[EventData[Data[@Name=‘TargetUserName’] = ‘usernamehere’]] part of the XML query, it works.

So, when you query on just the event ID, have you looked at the results in XML view to validate that TargetUserName exists?

Unfortunately, yes.

There are plenty of accounts that are currently locked and have tried multiple ones to no avail.

Not sure where to go from here. The query I sent works fine on my system, although I used the Security log, not Forwarded Events. In theory, the events are forwarded in tact so that should not matter. Any chance you can try that query on the Security log on the DC?

At least I’m not the only one confused by this. XD

I did use the XML query for the Security log on the DC and it works just fine (even when I filtered by username/acct).

A random note that may not have anything to do with anything, but it bothers me…

The Forwarded Events log in the Event Viewer has a space in between Forwarded and Events; however, if I right-click on the log and go to properties, there is no space between the two words (in neither the Full Name nor the Log path fields).

You always use the Full Name field defined in the log properties, so you are good there. I am curious though, have you tried the filter I sent via PowerShell? I suspect it will also fail via PowerShell as well, but worth a shot. Something like this:

$usr = 'usernamehere'
$XPath = "(Event[System[EventID=4740]]) and Event[EventData[Data[@Name='TargetUserName'] = '$usr']]"
Get-WinEvent -LogName 'ForwardedEvents' -ComputerName $dcName -FilterXPath $XPath

BTW, this query had no issues on my test system.

Okay thanks for the confirmation on the full name at least.

I did just try the Powershell command and got the same issue (“Get-WinEvent : The data is invalid”.

Talked more with co-workers about it, we may just copy off the current ForwardedEvents file and then re-create the subscription/file to see if that helps at all/for some reason.

It could just be the data is corrupt in which case, your approach should fix it. If you resolve the issue, please post the solution for others. Thanks.

Okay, so worked with co-workers and we went ahead and cleared the ForwardedEvents log file (saved it, then cleared it).

Waited a few mins for a lockout to occur…everything works fine now. So maybe somehow if the log file reaches its max size limit, it doesn’t work anymore?

Thanks for the thoughts and input TonyD!

There are several ways to configure Windows Log files when they reach max size. You can easily check via PowerShell.

(Get-WinEvent -ListLog 'ForwardedEvents').LogMode

I have no idea if any of the possible settings would cause your issue. Possibly “Retain” as it requires a manual clear, but I cant see Circular or AutoBackup causing your issue. Here are the settings:

For critical logs like Security, we set to AutoBackup.

Okay, thanks for the links and information!

I’ll see what the team wants to do from here on out.