To find account lockout events on multiple domain controllers, download logparser 2.2 and execute the following command in a domain admin context (e.g. runas user:domain\administrator logparser.exe), where the part below the command is in "lockouts.sql". The account lockout event is 644 -- if you need to find others, read Microsoft's KB174074 Also, this script will access each domain controller's security event log sequentially, so if you're in a hurry, execute several different logparser processes for each domain controller.
logparser.exe file:c:\scripts\logparser\lockouts.sql -i:EVT -o:datagrid
------stick this part in lockouts.sql
SELECT
timegenerated AS LogonTime,
extract_token(strings, 0, '|') AS UserName,
message as Message
FROM \\domaincontroller1\security, \\domaincontroller2\security, \\domaincontrolle2\Security
WHERE EventID = 644
-----end here
If you want the output to go into a database instead of a datagrid (Excel-type) table, make the logparser command look like this:
logparser.exe file:c:\scripts\logparser\lockouts.sql -o:SQL -server:myDBservername driver:"SQL Server" -database:myDBname -createtable:ON
Table name will end up matching your dbname. Set -createtable to off after you run it once.
Props to: Microsoft's Log Parser Toolkit, by Gabriele Giuseppini and Mark Burnett.
If you're going to be doing anything with windows logs, buy the book. It's more useful than several log management software packages I've demo'ed.
Leave a comment