-
Notifications
You must be signed in to change notification settings - Fork 58
/
Copy pathПоиск блокировки учётки.ps1
32 lines (30 loc) · 1.27 KB
/
Поиск блокировки учётки.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
param (
$User,
$PDC = "adcore1",
$Count = 1,
)
$FilterHash = @{}
$FilterHash.LogName = "Security"
$FilterHash.ID = "4740"
if ($User) {
$FilterHash.data =$User
$Count = 1
}
$FilterHash2 = @{}
$FilterHash2.LogName = "Security"
$FilterHash2.ID = "4625"
Get-WinEvent -Computername $PDC -FilterHashtable $FilterHash -MaxEvents $Count | foreach {
$ResultHash = @{}
$ResultHash.Username = ([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “TargetUserName”} | %{$_."#text"}
$ResultHash.DCFrom = ([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “TargetDomainName”} | %{$_."#text"}
$ResultHash.LockTime = $_.TimeCreated
$FilterHash2.data = $username
Get-WinEvent -Computername $dcfrom -FilterHashtable $FilterHash2 -MaxEvents 1 | foreach {
$ResultHash.SrcHost = ([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “IpAddress”} | %{$_."#text"}
$ResultHash.LogonType = ([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “LogonType”} | %{$_."#text"}
$ResultHash.FalureTime = $_.TimeCreated
$ResultHash
}
}
#Set-ExecutionPolicy Restricted -Scope CurrentUser
#Set-ExecutionPolicy Bypass -Scope CurrentUser