Get-WinEvent -FilterHashtable @{logname='security'; id=4776} | fl
This command retrieves events related to account lockouts from the Windows Security log. Event ID 4776 indicates attempts to validate credentials for an account.
Event IDs:
4624 - An account was successfully logged on.
4625 - An account failed to log on.
4740 - A user account was locked out.
4776 - The computer attempted to validate the credentials for an account.
For more detailed information on local account logons, use event ID 4624.
Error Code | Description
0xC0000064 | Incorrect username.
0xC000006A | The username is correct, but not the password.
0xC000006D | A generic logon failure.
0xC000006F | Unauthorized account logon outside authorized hours.
0xC0000070 | Unauthorized logon from a restricted workstation.
0xC0000071 | The user tried to log on with an expired password.
0xC0000072 | Unauthorized logon due to a disabled account.
0xC0000193 | Unauthorized logon due to an expired account.
0xC0000224 | A flag that the user needs to change the password at the next logon.
0xC0000225 | Known Windows bug. Not a risk.
0xC0000234 | Attempted logon with a locked account.
0xC0000371 | The local account storage does not contain information about the specific account.
To track account lockouts, you need to enable auditing for event ID 4740. Follow these steps:
1. Navigate to Computer Configuration -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management.
2. Enable success and failure for the "Audit User Account Management" policy.
Review and configure the account lockout policy in the following GPO section:
Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy
Example settings:
- Account lockout threshold: 10 invalid logon attempts
- Account lockout duration: 30 minutes
- Reset account lockout counter after: 10 minutes
Get-ADDefaultDomainPasswordPolicy | select LockoutDuration, LockoutObservationWindow, LockoutThreshold
Use this command to check the default account lockout policy settings on your domain controller.
Get-ADUserResultantPasswordPolicy -Identity j.brion | select-object LockoutDuration, LockoutObservationWindow, LockoutThreshold
Use this command to check the resulting lockout policy settings for a specific user if fine-grained password policies are enabled.
Open the Group Policy Management Console (gpmc.msc) and enable the Audit Account Lockout policy under:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Logon/Logoff
Get-ADDomain | select PDCEmulator
Use this command to find the PDC Emulator in your domain.
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\* | Select FriendlyName
Retrieves information about the last plugged-in USB devices.
Get-WinEvent -FilterHashTable @{LogName = "Application", "System"; Level=1,2; StartTime=((Get-Date).AddDays(-7))} | Out-GridView
Lists Critical and Error (Level = 1, 2) events from Application and System logs for the past 7 days.
Add-WindowsFeature RSAT-AD-Powershell
Installs the RSAT Active Directory PowerShell module on Windows Server.
Import-Module ActiveDirectory
Imports the Active Directory PowerShell module into your session.