Hello all,
I’m curious to see what I’m missing and why the script has started to error out about a month or so ago.
This script looks up the AD user accounts that are locked out and outputs it so that we can easily see the lockout source and has the option to search based on an AD username; however, this part is what is failing currently.
The script itself is here:
param (
[Parameter(ValueFromPipeline=$true,Position=0)]$Identity=$null
)
#Look for ID 4740 in the ForwardedEvents Log on DC
$filter = @{ID=4740;LogName="ForwardedEvents"}
If($Identity) { $Filter += @{data=$Identity} }
Get-WinEvent -ComputerName DC -FilterHashTable $Filter -ErrorAction SilentlyContinue |
Select TimeCreated,@{Name="LockoutSource";Expression={$_.Properties[1].Value}},@{Name="User";Expression={$_.Properties[0].Value}},@{Name="Server";Expression={$_.Properties[4].Value}}
In this instance, we have two AD domains and when I run the script by itself in, let’s say, DomainA, it works fine and shows all AD accounts that are locked out. However, if I run the script with one of those locked out AD accounts, it fails and has the error of “get-winevent: the data is invalid”.
However, if I run the script for/in the other domain (DomainB), everything works fine (even the AD user search/filter).
We even tried to filter in the Event Viewer GUI itself with this code below:
<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">
*[EventData[Data[@Name='TargetUserName'] and (Data='usernamehere')]]
and
*[System[(EventID='4740')]]
</Select>
</Query>
</QueryList>
In DomainA, it doesn’t work and says “data is invalid (13)” but in DomainB, it works just fine.
Both DCs in both domains are at the same [Windows] patch level and have the same PS version.
Thoughts?