/
Test-AccountLockOut.ps1
169 lines (145 loc) · 5.55 KB
/
Test-AccountLockOut.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#Paolo Frigo, scriptinglibrary.com
#requires -runasadministrator
#requires -module ActiveDirectory
#how to test ad account lockout policies
#create a test user
New-aduser -name "test-user"
#let's check the user created
Get-ADUser test-user
<#
DistinguishedName : CN=test-user,CN=Users,DC=contoso,DC=com
Enabled : False
GivenName :
Name : test-user
ObjectClass : user
ObjectGUID : 8353f6f5-2a3d-4096-a021-a430e3f257cc
SamAccountName : test-user
SID : S-1-5-21-3655427247-682778731-3851803015-1103
Surname :
UserPrincipalName :
#>
#Reset the password for this user:
Get-ADUser test-user | Set-ADAccountPassword
<#
Please enter the current password for 'CN=test-user,CN=Users,DC=contoso,DC=com'
Password:
Please enter the desired password for 'CN=test-user,CN=Users,DC=contoso,DC=com'
Password: *********
Repeat Password: *********
#>
#Let's enable our test account
Get-ADUser test-user | Enable-ADAccount
#let's check the AD default domain password policies
Get-ADDefaultDomainPasswordPolicy
<#
ComplexityEnabled : True
DistinguishedName : DC=contoso,DC=com
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 5
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : dfc165e9-bbf7-46a3-82c8-6eecac1e2496
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False
#>
#let's double check our user before staring to test
Get-ADUser test-user -properties LockedOut, LastBadPasswordAttempt
<#
DistinguishedName : CN=test-user,CN=Users,DC=contoso,DC=com
Enabled : True
GivenName :
LastBadPasswordAttempt : 1/11/2018 11:37:45 PM
LockedOut : False
Name : test-user
ObjectClass : user
ObjectGUID : 8353f6f5-2a3d-4096-a021-a430e3f257cc
SamAccountName : test-user
SID : S-1-5-21-3655427247-682778731-3851803015-1103
Surname :
UserPrincipalName :
#>
#Let's make 5 wrong authentication attempts to lockout the test user
(1..5)| ForEach-Object{runas /user:contoso\test-user cmd}
<#
Enter the password for contoso\test-user:
Attempting to start cmd as user "contoso\test-user" ...
RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.
Enter the password for contoso\test-user:
Attempting to start cmd as user "contoso\test-user" ...
RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.
Enter the password for contoso\test-user:
Attempting to start cmd as user "contoso\test-user" ...
RUNAS ERROR: Unable to run - cmd
1909: The referenced account is currently locked out and may not be logged on to.
Enter the password for contoso\test-user:
Attempting to start cmd as user "contoso\test-user" ...
RUNAS ERROR: Unable to run - cmd
1909: The referenced account is currently locked out and may not be logged on to.
Enter the password for contoso\test-user:
Attempting to start cmd as user "contoso\test-user" ...
RUNAS ERROR: Unable to run - cmd
1909: The referenced account is currently locked out and may not be logged on to.
#>
#let's check our user
Get-ADUser test-user -properties LockedOut, LastBadPasswordAttempt
<#
DistinguishedName : CN=test-user,CN=Users,DC=contoso,DC=com
Enabled : True
GivenName :
LastBadPasswordAttempt : 1/11/2018 11:59:00 PM
LockedOut : True
Name : test-user
ObjectClass : user
ObjectGUID : 8353f6f5-2a3d-4096-a021-a430e3f257cc
SamAccountName : test-user
SID : S-1-5-21-3655427247-682778731-3851803015-1103
Surname :
UserPrincipalName :
#>
#search for locked out accounts
Search-ADAccount -LockedOut
<#
AccountExpirationDate :
DistinguishedName : CN=test-user,CN=Users,DC=contoso,DC=com
Enabled : True
LastLogonDate :
LockedOut : True
Name : test-user
ObjectClass : user
ObjectGUID : 8353f6f5-2a3d-4096-a021-a430e3f257cc
PasswordExpired : False
PasswordNeverExpires : False
SamAccountName : test-user
SID : S-1-5-21-3655427247-682778731-3851803015-1103
UserPrincipalName :
#>
#investigate on specific user
Get-ADUser -Filter {DisplayName -like "John D*"} -Properties PasswordExpired, PasswordLastSet, EmailADdress,BadLogonCount,lastbadpasswordattempt, Lastlogondate, LockedOut, LockoutTime
Get-EventLog -LogName Security -ComputerName $(Get-ADDomainController).hostname -InstanceId 4740 -newest 5
<#
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
13236 Nov 01 23:59 SuccessA... Microsoft-Windows... 4740 A user account was locked out....
#>
#Let's search for the caller ID
Get-EventLog -LogName Security -ComputerName $(Get-ADDomainController).hostname -InstanceId 4740 -newest 1 | Select-Object -exp Message
<#
A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: MYDC$
Account Domain: CONTOSO
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: S-1-5-21-3655427247-682778731-3851803015-1103
Account Name: test-user
Additional Information:
Caller Computer Name: MYDC
#>
#Let's close this test by disabling the test-account
Disable-ADAccount test-user