If you have some Domain Controlers and you need look for a special event, you can use this command:
[ ] Search for ALL domain controllers
COMMAND: Get-Eventlog –ComputerName ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindDomainController() “Security” -InstanceID “4740” -Message *”USERNAME”* | Format-List Timegenerated, Message
[ ] Search for one domain controllers
COMMAND: Get-Eventlog -ComputerName xxxxDC01 “Security” -InstanceID “4769” | Format-List Timegenerated, Message
Other options are use the Windows event forwarder. http://gonsystem.blogspot.com.es/2016/07/windows-suscripciones-y-envio-de.html
REF: http://jeffwouters.nl/index.php/2012/05/powershell-searching-for-the-cause-of-a-user-account-that-keeps-getting-locked-out/
Check at Windows 2012 R2
by GoN | Published: September 14, 2017 | Last Updated:
by GoN | Published: September 14, 2017 | Last Updated: