Trying to Get the lockout source IP using sec event log. please advise

PowerShell Help
1

Here’s the script that I am using to to get the source of the lockout. 



Function Get-LockedOutLocation

{


[CmdletBinding()]

Param(
  [Parameter(Mandatory=$True)]
  [String]$Identity      
)
Begin
{ 
    $DCCounter = 0 
    $LockedOutStats = @()   
            
    Try
    {
        Import-Module ActiveDirectory -ErrorAction Stop
    }
    Catch
    {
       Write-Warning $_
       Break
    }
}
Process
{
    $DomainControllers = Get-ADDomainController -Filter *
    $PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
    
    Write-Verbose "Finding the domain controllers in the domain"
    Foreach($DC in $DomainControllers)
    {
        $DCCounter++
        Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter/$DomainControllers.Count) * 100)
        Try
        {
            $UserInfo = Get-ADUser -Identity $Identity  -Server $DC.Hostname -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut -ErrorAction Stop
        }
        Catch
        {
            Write-Warning $_
            Continue
        }
        If($UserInfo.LastBadPasswordAttempt)
        {    
            $LockedOutStats += New-Object -TypeName PSObject -Property @{
                    Name                   = $UserInfo.SamAccountName
                    SID                    = $UserInfo.SID.Value
                    LockedOut              = $UserInfo.LockedOut
                    BadPwdCount            = $UserInfo.BadPwdCount
                    BadPasswordTime        = $UserInfo.BadPasswordTime            
                    DomainController       = $DC.Hostname
                    AccountLockoutTime     = $UserInfo.AccountLockoutTime
                    LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime()
                }          
        }
    }
    $LockedOutStats | Format-Table -Property Name,LockedOut,DomainController,BadPwdCount,AccountLockoutTime,LastBadPasswordAttempt -AutoSize

  
    Try
    {  
       Write-Verbose "Querying event log on $($PDCEmulator.HostName)"
       $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
    }
    Catch 
    {          
       Write-Warning $_
       Continue
    }    
                   
    Foreach($Event in $LockedOutEvents)
    {            
       If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
       { 
          $Event | Select-Object -Property @(
            @{Label = 'User';               Expression = {$_.Properties[0].Value}}
            @{Label = 'DomainController';   Expression = {$_.MachineName}}
            @{Label = 'EventId';            Expression = {$_.Id}}
            @{Label = 'LockedOutTimeStamp'; Expression = {$_.TimeCreated}}
            @{Label = 'Message';            Expression = {$_.Message -split "`r" | Select -First 1}}
            @{Label = 'LockedOutLocation';  Expression = {$_.Properties[1].Value}}
          )                                    
        }      
   }
}



}

I’m satisfied with the end result, but today was trying to find why a user keeps getting locked out. and the result was “Workstation” so trying to find out the IP of that workstation. Please Advise!

2

Please checkout the following articles which provides step by step details to find the source of an account lockout.

https://blogs.technet.microsoft.com/poshchap/2014/05/16/tracing-the-source-of-account-lockouts/

https://blogs.technet.microsoft.com/pie/2016/02/02/ad-fun-services-track-down-the-source-of-adfs-lockouts/