Get-LockedOutLocation - it is possible to make it work forestwide?

Hi, there!!

I'm speaking about this excellent function from here: https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab#content and I've made it work.  In the domain where I'm logged in, I can find formation, but how to get this function work forest wide? Getting following error: WARNING: Cannot find an object with identity: 'whateveruser' under: 'DC=eur,DC=ccc,DC=company,DC=com' when running this function against user from another domain. When whateveruser is a user under'DC=amr,DC=ccc,DC=company,DC=com' so it's different domain in the same forest. It is possible to make it work forest wide, so I'll be able to get information from amr domain as well?

I was able to run following command and get relevant information:

Get-ADUser -Filter {EmployeeID -eq "whateveruser"} -SearchBase 'DC=amr,DC=ccc,DC=company,DC=com' -server "GCServername:3268" -Properties LockedOut, badPwdCount, AccountLockoutTime, LastBadPasswordAttempt | ft -AutoSize Name, LockedOut, badPwdCount, AccountLockoutTime, LastBadPasswordAttempt

The trick here is using global catalog with -server option. But Get-LockedOutLocation much more useful than the command I've posted above. Any help will be highly appreciated.

Thank you in advance,

Igor R.

 
August 27th, 2015 3:04am

Hi Igor,

you can do this by ...

  1. Removing the part from Get-LockedOutLocation where it tries to import the active directory module and replacing it with the snippet below.
  2. Adding a $Credential parameter
  3. Adding a $RemoteDC parameter
  4. Altering Get-WinEvent to use the credential parameter also

Snippet for 1):

$session = New-PSSession -ComputerName $RemoteDC -Credential $Credential
Invoke-Command -Session $session -scriptblock { import-module ActiveDirectory }
Import-PSSession -Session $session -Module ActiveDirectory

Please note, that this will only give it the capability to be run against any given domain, not for a single user across multiple domains.

Changing it to apply to an actual forest-wide for a single user scenario would require quite a bit more tinkering, which is beyond the scope of this forum. You'll have to piece together the pieces of information you need and learn how and what to change yourself. Here's a hint on how to find all Domain Controllers in your forest, which you'll need for this task:

$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$forest.Domains | %{ $_.FindAllDomainControllers() }
Cheers,
Fred
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2015 3:25am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics