I'm trying to make a powershell script that essentially automates the account lockout tools. ideally I'll be able to get a fairly efficient query that can identify recently locked out accounts then retrieve that data from our DC's and probably send an email letting us know who was locked out and a copy of the "message" from the security log.
here's what I have so far: I read that to use Get-WinEvent we have to use a hashtable so i created a hashtable object and expanded by datetime variables into the hashtable and they appear correct, and if I run something like $hash.starttime | gm , I can confirm that it's still a system.datetime object.
$LockedOut = Get-ADUser -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut -Filter * | ?{$_.AccountLockOutTime -ge (Get-Date).AddHours(-3)}
$LockedOut | ft name,samaccountname,LockedOut,AccountLockoutTime,BadPwdCount,LastBadPasswordAttempt
$DomainControllers = Get-ADDomainController -Filter *
ForEach($lockeduser in $LockedOut)
{
$lockeduser.Name
ForEach($DC in $DomainControllers.name)
{
$before = ($lockeduser.AccountLockoutTime.AddMinutes(1)).date
$after = ($lockeduser.AccountLockoutTime.AddMinutes(-1)).date
$hash = $null
$hash = @{}
$hash.Add("Logname", "security")
$hash.Add("Starttime", $after)
$hash.Add("Endtime", $before)
$DC
$messagecriteria = $lockeduser.Name
$message = Get-WinEvent -ComputerName $DC -FilterHashtable $hash | ?{$_.Message -like "*$messagecriteria*"}
$message
}
"----------------------------------------------------------------------------------------------------------"
}
But when I run the query I only get back
Get-WinEvent : No events were found that match the specified selection criteria.
At line:19 char:20
+ $message = Get-WinEvent -ComputerName $DC -FilterHashtable $hash | ?{$_ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand