Creating your Own Account Lockout Help Tool 

Hi Powershell people …

 

Powershell is just getting more and more attention each day . I use to do things in vbscript and have not touched vbscript in a long time . That is how much I love powershell . I do not think I’m a Powershell fanboy (but you might think so ) and I don’t think being one is a bad thing . I mean its very powerful tool . Now with the announcement of V2 coming in 2009 we as administrators are starting to see things in a different light . Back to the point of this blog I wanted to share a pretty quick and dirty script with you . I mean its quick and dirty because I haven’t spent the time to make it production ready although you would not need to change much to make it production . Some of you might think its production ready but I will share with you what I think it needs . Just that I didn’t have the time .

 

We are creating a powershell script to basically parse the netlogon.bak file (because the netlogon.txt file is locked under normal operation ) on a DC . Now there are plenty of tools out there that do something similar . If you use on of those thats fine but I love to try and create my own command line tool . Some tools that you might use is eventcomb from Microsoft . Accountlockout is another gui that will tell you where the account is locked out and what time the lockout occurred . It also lets you unlock the account . Eventcomb is nice in that you can search for different criteria like userid ,Event ID’s ,Multiple computers .

 

So to recap this script will create a results.txt file that will contain all lines in the netlogon.bak file that match the User you pass to the script . For those that are not sure of where the netlogon.bak file is located its in the %windir%\debug folder . This is a GREAT way to find out if the user is being locked out from another machine which is a large percentage of the case mostly . You get these calls from users that don’t know that they may have logged onto a Server or PC and that is the cause or possibly a service is running on a Server with their ID running a service . This log file is helpful in solving these problems . This shouldn’t be the only tool you use but it will help you in determining the root cause .

Here is the Script :


######################################################
#Scriptname : Get-AccountLockoutInfo.ps1
#Created by : Chris Federico
#Date : 11/18/2008
######################################################
param ($logonserver,$userid,$help)
function funHelp()
{
$helpText=@"
NAME: Get-AccountLockoutInfo.ps1
Parses the netlogon.bak File for information regarding the account ID that was passed .

PARAMETERS:
-logonserver specifies the logon Server for the User
-userid specifies the userID for the User
-help Prints Help File

SYNTAX:
.\Get-AccountLockoutInfo.ps1 -logonserver Foo -userid Johnb
queries the Netlogon.bak file on server Foo for userid Johnb and logs entries that are related to lockouts .

.\Get-AccountLockoutInfo.ps1 -help ?
Prints out help file.

"@

$helpText
exit
}

function funParse-SecurityLogFile($logonserver,$userid)
{

#for windows 2000 Systems
$log = gc "\\$logonserver\c$\debug\netlogon.bak" | % { if ($_ -match $userid) {$_ | Out-File ".\results.txt" -Append}}

#For Windows 2008 Systems
$log1 = gc "\\$logonserver\c$\windows\debug\netlogon.bak" | % { if ($_ -match $userid) {$_ | Out-File ".\results.txt" -Append}}
}

  1. surpress errors

$ErrorActionPreference = "SilentlyContinue"

#Check to see if help text is requested
if($help) { write-host "Printing help now..." -ForegroundColor Blue;funHelp}

#Check to see if forward and reverse arguments have been entered.
if(!$logonserver) {write-host "You must Supply a logon Server." -ForegroundColor Red ; funHelp}
if(!$userid) {write-host "You must Supply a userid to search" -ForegroundColor Red ; funhelp}

#Create a new Results File.
New-Item -ItemType file -path ".\results.txt" -Force

#Call function that does all the work.
funParse-SecurityLogFile $logonserver $userid

 

 

 

 

The reason why I think that this script is not primetime production is because I don’t include a way to tell if the DC your using is a windows 2000 or 2008 or 2003 . So I made 2 variables log and log1 which use different paths . This is not a show stopper though because I’m suppressing Errors ($ErrorActionPreference = “SilentlyContinue”) . If you would like to add a WMI section to find out if the target DC is a windows 2000 or 2003 or 2008 then I think it would be ready . You can probably use s switch statement to perform the appropriate action for example .

switch ($Server)
{
“Windows 2000” {##Read the log file}
“Windows 2003” {##Read the log file }
“Windows 2008” {##Read the log file }
}

To to summarize … the results.txt file will have all the lines in the netlogon.bak file that have the UserID you passed into the script . So checkout the netlogon.bak file to see what kind of information it shows .It is really helpful .

Take Care ,

Chris Federico

Advertisements