Hi Powershell people …
Powershell is just getting more and more attention each day . I use to do things in vbscript and have not touched vbscript in a long time . That is how much I love powershell . I do not think I’m a Powershell fanboy (but you might think so ) and I don’t think being one is a bad thing . I mean its very powerful tool . Now with the announcement of V2 coming in 2009 we as administrators are starting to see things in a different light . Back to the point of this blog I wanted to share a pretty quick and dirty script with you . I mean its quick and dirty because I haven’t spent the time to make it production ready although you would not need to change much to make it production . Some of you might think its production ready but I will share with you what I think it needs . Just that I didn’t have the time .
We are creating a powershell script to basically parse the netlogon.bak file (because the netlogon.txt file is locked under normal operation ) on a DC . Now there are plenty of tools out there that do something similar . If you use on of those thats fine but I love to try and create my own command line tool . Some tools that you might use is eventcomb from Microsoft . Accountlockout is another gui that will tell you where the account is locked out and what time the lockout occurred . It also lets you unlock the account . Eventcomb is nice in that you can search for different criteria like userid ,Event ID’s ,Multiple computers .
So to recap this script will create a results.txt file that will contain all lines in the netlogon.bak file that match the User you pass to the script . For those that are not sure of where the netlogon.bak file is located its in the %windir%\debug folder . This is a GREAT way to find out if the user is being locked out from another machine which is a large percentage of the case mostly . You get these calls from users that don’t know that they may have logged onto a Server or PC and that is the cause or possibly a service is running on a Server with their ID running a service . This log file is helpful in solving these problems . This shouldn’t be the only tool you use but it will help you in determining the root cause .
Here is the Script :
######################################################
#Scriptname : Get-AccountLockoutInfo.ps1
#Created by : Chris Federico
#Date : 11/18/2008
######################################################param ($logonserver,$userid,$help)function funHelp()
{
$helpText=@"NAME: Get-AccountLockoutInfo.ps1
Parses the netlogon.bak File for information regarding the account ID that was passed .PARAMETERS:
-logonserver specifies the logon Server for the User
-userid specifies the userID for the User
-help Prints Help File
SYNTAX:
.\Get-AccountLockoutInfo.ps1 -logonserver Foo -userid Johnb
queries the Netlogon.bak file on server Foo for userid Johnb and logs entries that are related to lockouts .
.\Get-AccountLockoutInfo.ps1 -help ?
Prints out help file.
"@
$helpText
exit
}
function funParse-SecurityLogFile($logonserver,$userid)
{
#for windows 2000 Systems
$log = gc "\\$logonserver\c$\debug\netlogon.bak" | % { if ($_ -match $userid) {$_ | Out-File ".\results.txt" -Append}}
#For Windows 2008 Systems
$log1 = gc "\\$logonserver\c$\windows\debug\netlogon.bak" | % { if ($_ -match $userid) {$_ | Out-File ".\results.txt" -Append}}
}
# surpress errors
$ErrorActionPreference = "SilentlyContinue"
#Check to see if help text is requested
if($help) { write-host "Printing help now..." -ForegroundColor Blue;funHelp}
#Check to see if forward and reverse arguments have been entered.
if(!$logonserver) {write-host "You must Supply a logon Server." -ForegroundColor Red ; funHelp}
if(!$userid) {write-host "You must Supply a userid to search" -ForegroundColor Red ; funhelp}
#Create a new Results File.
New-Item -ItemType file -path ".\results.txt" -Force
#Call function that does all the work.
funParse-SecurityLogFile $logonserver $userid
The reason why I think that this script is not primetime production is because I don’t include a way to tell if the DC your using is a windows 2000 or 2008 or 2003 . So I made 2 variables log and log1 which use different paths . This is not a show stopper though because I’m suppressing Errors ($ErrorActionPreference = “SilentlyContinue”) . If you would like to add a WMI section to find out if the target DC is a windows 2000 or 2003 or 2008 then I think it would be ready . You can probably use s switch statement to perform the appropriate action for example .
switch ($Server)
{
“Windows 2000″ {##Read the log file}
“Windows 2003″ {##Read the log file }
“Windows 2008″ {##Read the log file }
}
To to summarize … the results.txt file will have all the lines in the netlogon.bak file that have the UserID you passed into the script . So checkout the netlogon.bak file to see what kind of information it shows .It is really helpful .
Take Care ,
Chris Federico
