Trying to Get the lockout source IP using sec event log. please advise

Here’s the script that I am using to to get the source of the lockout.


Function Get-LockedOutLocation
{

[CmdletBinding()]

Param(
  [Parameter(Mandatory=$True)]
  [String]$Identity      
)
Begin
{ 
    $DCCounter = 0 
    $LockedOutStats = @()   
            
    Try
    {
        Import-Module ActiveDirectory -ErrorAction Stop
    }
    Catch
    {
       Write-Warning $_
       Break
    }
}
Process
{
    $DomainControllers = Get-ADDomainController -Filter *
    $PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
    
    Write-Verbose "Finding the domain controllers in the domain"
    Foreach($DC in $DomainControllers)
    {
        $DCCounter++
        Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter/$DomainControllers.Count) * 100)
        Try
        {
            $UserInfo = Get-ADUser -Identity $Identity  -Server $DC.Hostname -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut -ErrorAction Stop
        }
        Catch
        {
            Write-Warning $_
            Continue
        }
        If($UserInfo.LastBadPasswordAttempt)
        {    
            $LockedOutStats += New-Object -TypeName PSObject -Property @{
                    Name                   = $UserInfo.SamAccountName
                    SID                    = $UserInfo.SID.Value
                    LockedOut              = $UserInfo.LockedOut
                    BadPwdCount            = $UserInfo.BadPwdCount
                    BadPasswordTime        = $UserInfo.BadPasswordTime            
                    DomainController       = $DC.Hostname
                    AccountLockoutTime     = $UserInfo.AccountLockoutTime
                    LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime()
                }          
        }
    }
    $LockedOutStats | Format-Table -Property Name,LockedOut,DomainController,BadPwdCount,AccountLockoutTime,LastBadPasswordAttempt -AutoSize

  
    Try
    {  
       Write-Verbose "Querying event log on $($PDCEmulator.HostName)"
       $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
    }
    Catch 
    {          
       Write-Warning $_
       Continue
    }    
                   
    Foreach($Event in $LockedOutEvents)
    {            
       If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
       { 
          $Event | Select-Object -Property @(
            @{Label = 'User';               Expression = {$_.Properties[0].Value}}
            @{Label = 'DomainController';   Expression = {$_.MachineName}}
            @{Label = 'EventId';            Expression = {$_.Id}}
            @{Label = 'LockedOutTimeStamp'; Expression = {$_.TimeCreated}}
            @{Label = 'Message';            Expression = {$_.Message -split "`r" | Select -First 1}}
            @{Label = 'LockedOutLocation';  Expression = {$_.Properties[1].Value}}
          )                                    
        }      
   }
}

}

I’m satisfied with the end result, but today was trying to find why a user keeps getting locked out. and the result was “Workstation” so trying to find out the IP of that workstation. Please Advise!

Please checkout the following articles which provides step by step details to find the source of an account lockout.

https://blogs.technet.microsoft.com/poshchap/2014/05/16/tracing-the-source-of-account-lockouts/

https://blogs.technet.microsoft.com/pie/2016/02/02/ad-fun-services-track-down-the-source-of-adfs-lockouts/

https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html