I have a account which is keep locking out but this happens night time where we are not able to take logs or grab logs. So what I like to do is write a powershell script to take these logs for me.

I'm using AL TOOLs. Within ALTools the is program called LockoutStatus with this program they is column called Orig Lock

I just like to know where this information is collected from, is it from even or from user?

I only need the Orig Lock info

Please see below screenshot

I have a account which is keep locking out but this happens night time where we are not able to take logs or grab logs. So what I like to do is write a powershell script to take these logs for me.

I'm using AL TOOLs. Within ALTools the is program called LockoutStatus with this program they is column called Orig Lock

I just like to know where this information is collected from, is it from even or from user?

I only need the Orig Lock info

In event viewer of the PDC Emulator. Filter security events on 4740 event id.

4740 gives the name of PC or server which made bad user or password request. I dont wont that i Wont to know where the info is coming from LockoutStatus program.

Please see the image. I wont to know which server locked the account Original lock

The events should be collected from the event viewer of your DCs.

I would recommend using eventCombMT to extract the required information about account lockout: http://support.microsoft.com/kb/824209

I do understand they are tool which can do this but my question is not what tool i can use to collect this information.

My question is where Can I find this information which LockoutStatus collects.

I need to find out what server was the first to lock the account.

If you see the image below you will see it.

What i'm looking for

> If you see the image below you will see it.   As Mahdi and Ahmed already answered: This is part of the event 4740...  

If I look into 4740 it would say which server was the first to make a account lock

I have check each DC and they all say I locked this account which is not correct.

4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Mon Jan 26 12:07:53 2015,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  server$   Account Domain:  dn Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-85745802-1543857936-45857   Account Name:  user-id Additional Information:   Caller Computer Name: 

All the logs with 4740 showing same DC which I am checking.

What I need to find out who was the first DC to lock the account

We have over 40 DC within our company.

So What I like to do is create powershell script which show which DC locked the account.

Is they is faster approach to this.

Some DC are over sea.

> Is they is faster approach to this.   Custom eventlog query or "eventcombmt.exe"  

I have try this but it just takes forever.

$computerName="name"

$EntryType="SuccessAudit","FailureAudit"

Get-EventLog -logname Security -ComputerName $computerName -EntryType $EntryType -InstanceId "4740"

I also tried.

Get-WinEvent `

   -ComputerName $computerName `

    -FilterHashtable @{LogName="Security";Id=4740;} | Where-object {$_.message -like ("*" + $InUserID + "*")}

but no results

• Edited by LalaJee Wednesday, January 28, 2015 12:00 PM

We have over 40 DC within our company.

So What I like to do is create powershell script which show which DC locked the account.

Is they is faster approach to this.

Some DC are over sea.

Yes there is.

• Read my blog: Am I locked out? Where? How?