Hi, there!!

I'm speaking about this excellent function from here: https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab#content and I've made it work.  In the domain where I'm logged in, I can find formation, but how to get this function work forest wide? Getting following error: WARNING: Cannot find an object with identity: 'whateveruser' under: 'DC=eur,DC=ccc,DC=company,DC=com' when running this function against user from another domain. When whateveruser is a user under'DC=amr,DC=ccc,DC=company,DC=com' so it's different domain in the same forest. It is possible to make it work forest wide, so I'll be able to get information from amr domain as well?

I was able to run following command and get relevant information:

Get-ADUser -Filter {EmployeeID -eq "whateveruser"} -SearchBase 'DC=amr,DC=ccc,DC=company,DC=com' -server "GCServername:3268" -Properties LockedOut, badPwdCount, AccountLockoutTime, LastBadPasswordAttempt | ft -AutoSize Name, LockedOut, badPwdCount, AccountLockoutTime, LastBadPasswordAttempt

The trick here is using global catalog with -server option. But Get-LockedOutLocation much more useful than the command I've posted above. Any help will be highly appreciated.

Thank you in advance,

Igor R.

Hi Igor,

you can do this by ...

1. Removing the part from Get-LockedOutLocation where it tries to import the active directory module and replacing it with the snippet below.
2. Adding a $Credential parameter
3. Adding a $RemoteDC parameter
4. Altering Get-WinEvent to use the credential parameter also

Snippet for 1):

$session = New-PSSession -ComputerName $RemoteDC -Credential $Credential
Invoke-Command -Session $session -scriptblock { import-module ActiveDirectory }
Import-PSSession -Session $session -Module ActiveDirectory

Please note, that this will only give it the capability to be run against any given domain, not for a single user across multiple domains.

Changing it to apply to an actual forest-wide for a single user scenario would require quite a bit more tinkering, which is beyond the scope of this forum. You'll have to piece together the pieces of information you need and learn how and what to change yourself. Here's a hint on how to find all Domain Controllers in your forest, which you'll need for this task:

$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$forest.Domains | %{ $_.FindAllDomainControllers() }

Hi, Thank you for respond!!

I'm sorry but I'm not have much experience with powershell... Could you please help me with the code?

And you are right - searching single user over whole forest is not an suitable option. I prefer to have separated script for each domain. So, could you please to help me with the code, where I have to configure $Credential parameter and $RemoteDC parameter. Not sure I'm understand why I need Altering Get-WinEvent to use the credential parameter also... My credential was good enough to retrieve user information when I've ran relevant command  (from my original post).

You do not need to do any remoting just get the user from the GC and, if needed, get the user object using the DistinguishedName.  The AD CmdLets do their own remoting.

As for fixing code found on the Internet - contact the author for help.  We don't fix old code.  You can ask a specific quest about how to do something and use part of the code as an example.  You are asking for a complete solution.

I took a quick look at the code.  It needs to have a complete patch to look at the domain that defines the user.

The whole premise of the code is odd. Why is it necessary to query everything to find a locked out user.  Why do you need the event log information?

If this is forensic then there are better and easier approaches. If this is diagnostic then there are better and easier approaches.  For resets none of this is necessary.

Hi,

I've already asked my question in the author's page but not get answer, therefore I'm asking here for assistance.

And I'm not asking for complete solution, I'm asking how to change the code so it will search within desired domain and not where I'm logged in as per default.

Hi,

I've already asked my question in the author's page but not get answer, therefore I'm asking here for assistance.

And I'm not asking for complete solution, I'm asking how to change the code so it will search within desired domain and not where I'm logged in as per default.

Asking for a fix is asking for a solution and not asking a specific technical question.

You can try Fred's method but it may not work as expected.

The script is designed to work in a pipeline.  That would make is easy and have excellent performance.  By altering the code to grab a user for the GC then extract the domain and adjust all calls to use the domain you would have a solution.  Writing this would best be done by the author or someone trained in AD and Windows technologies.  It is not an end user thing.  "No user serviceable items in  the box"

Ask the author too upgrade the code.  Upgrade the code yourself by learning AD and PowerShell.  Contact a consultant to modify the code.

I would do it myself but it is more than a 5 minute fix and I see no need for that code anyway.  It does a lot of things that appear to be unnecessary.

Here is a starter.

1.  Code accepts an Identity from the pipeline.  Modify code to grab domain from identity.
2.  Modify calls to get DCs to specify domain.
3.  Modify outputs to reflect specific new requirements.

Of course you will have to learn bot AD and PowerShell to do this so start here: https://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx?f=255&MSPPError=-2147217396