none
Account lock out access

    Question

  • Hello 

    I would like to provide all the Service Desk to run the script to find the account locked out location. 

    As Domain Admin the script work fine when run in Domain Controller, however when i run the same script in Win7 machine after installing the ADDS, it give error 

    WARNING: Could not retrieve information about the Security log. Error:
    Attempted to perform an unauthorized operation..

    the test user id has been  delegated full control Active Directory

    Please advise

    Thanks


    NA

    Monday, March 13, 2017 7:41 PM

Answers

  • Hello 

    i did not any solution for this to install the ADDS in all Service Desk machine,

    So i decided that we can automate the script and send email on regular interval to email address of service desk member so that they can check that and trouble shoot


    NA

    • Marked as answer by Masthanomatic Monday, March 27, 2017 2:05 PM
    Monday, March 27, 2017 2:04 PM

All replies

  • Have you granted the relevant permissions within the DC (not within AD, but within Windows), to read the event logs?
    Have you checked the relevant remoting ports are permitted by firewall?

    Have you considered this (including the comments/suggestions)?

    https://blogs.technet.microsoft.com/ashleymcglone/2015/08/31/forensics-automating-active-directory-account-lockout-search-with-powershell-an-example-of-deep-xml-filtering-of-event-logs-across-multiple-servers-in-parallel/


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, March 13, 2017 8:41 PM
  • Hello 

    thanks for the reply,

    Could you please eloborate how to grant relevant permission within the all DC to read event log, if you are referring to Builtin > event log Readers, then it will be to local DC

    Please advise

    Thanks



    NA

    Monday, March 13, 2017 9:21 PM
  • Hi Masthanomatic,

    Domain\Event Log Readers is a group that grants read access to all event logs on all DCs in a given Domain.\

    If you wish to get more granular, and only want to give access to the Security log on each DC, then you need this article: https://blogs.technet.microsoft.com/janelewis/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008/

    Good Luck!

    Shane

    Tuesday, March 14, 2017 1:38 AM
  • thanks for the reply,

    I have added the test to event log readers group and could see that it it replicated to all the DCs,

    However when run the script by loggin with test user login, still same error 

    WARNING: Could not retrieve information about the Security log. Error:
    Attempted to perform an unauthorized operation..

    What am i missing now.


    NA

    Tuesday, March 14, 2017 2:19 PM
  • > I have added the test to event log readers group and could see that it it replicated to all the DCs,
     
    Event log readers are allowed to read eventlogs. But AFAIK not the security eventlog - you need to modify its ACL to allow Non-Admins to read it.
     
    Tuesday, March 14, 2017 4:48 PM
  • Hello Martin

    is this the way to do it

    https://blogs.technet.microsoft.com/janelewis/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008/

    or anyother easier steps do you have. Please suggest

    Thanks


    NA

    Tuesday, March 14, 2017 8:18 PM
  • Hi Masthanomatic,

    If adding the user to the event log readers group does not grant the necessary permissions, most likely your script is doing something other than reading event logs.

    Perhaps you could post the script you are using and we can help you further.

    Good Luck!

    Shane

    Wednesday, March 15, 2017 1:08 AM
  • Requires -Version 2.0
    Function Get-LockedOutLocation
    {
    <#
    .SYNOPSIS
    This function will locate the computer that processed a failed user logon attempt which caused the user account to become locked out.

    .DESCRIPTION
    This function will locate the computer that processed a failed user logon attempt which caused the user account to become locked out. 
    The locked out location is found by querying the PDC Emulator for locked out events (4740).  
    The function will display the BadPasswordTime attribute on all of the domain controllers to add in further troubleshooting.

    .EXAMPLE
    PS C:\>Get-LockedOutLocation -Identity Joe.Davis


    This example will find the locked out location for Joe Davis.
    .NOTE
    This function is only compatible with an environment where the domain controller with the PDCe role to be running Windows Server 2008 SP2 and up.  
    The script is also dependent the ActiveDirectory PowerShell module, which requires the AD Web services to be running on at least one domain controller.
    Author:Jason Walker
    Last Modified: 3/20/2013
    #>
        [CmdletBinding()]

        Param(
          [Parameter(Mandatory=$True)]
          [String]$Identity      
        )

        Begin
        { 
            $DCCounter = 0 
            $LockedOutStats = @()   
                    
            Try
            {
                Import-Module ActiveDirectory -ErrorAction Stop
            }
            Catch
            {
               Write-Warning $_
               Break
            }
        }#end begin
        Process
        {
            
            #Get all domain controllers in domain
            $DomainControllers = Get-ADDomainController -Filter *
            $PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
            
            Write-Verbose "Finding the domain controllers in the domain"
            Foreach($DC in $DomainControllers)
            {
                $DCCounter++
                Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter/$DomainControllers.Count) * 100)
                Try
                {
                    $UserInfo = Get-ADUser -Identity $Identity  -Server $DC.Hostname -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut -ErrorAction Stop
                }
                Catch
                {
                    Write-Warning $_
                    Continue
                }
                If($UserInfo.LastBadPasswordAttempt)
                {    
                    $LockedOutStats += New-Object -TypeName PSObject -Property @{
                            Name                   = $UserInfo.SamAccountName
                            SID                    = $UserInfo.SID.Value
                            LockedOut              = $UserInfo.LockedOut
                            BadPwdCount            = $UserInfo.BadPwdCount
                            BadPasswordTime        = $UserInfo.BadPasswordTime            
                            DomainController       = $DC.Hostname
                            AccountLockoutTime     = $UserInfo.AccountLockoutTime
                            LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime()
                        }          
                }#end if
            }#end foreach DCs
            $LockedOutStats | Format-Table -Property Name,LockedOut,DomainController,BadPwdCount,AccountLockoutTime,LastBadPasswordAttempt -AutoSize

            #Get User Info
            Try
            {  
               Write-Verbose "Querying event log on $($PDCEmulator.HostName)"
               $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
            }
            Catch 
            {          
               Write-Warning $_
               Continue
            }#end catch     
                                     
            Foreach($Event in $LockedOutEvents)
            {            
               If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
               { 
                  
                  $Event | Select-Object -Property @(
                    @{Label = 'User';               Expression = {$_.Properties[0].Value}}
                    @{Label = 'DomainController';   Expression = {$_.MachineName}}
                    @{Label = 'EventId';            Expression = {$_.Id}}
                    @{Label = 'LockedOutTimeStamp'; Expression = {$_.TimeCreated}}
                    @{Label = 'Message';            Expression = {$_.Message -split "`r" | Select -First 1}}
                    @{Label = 'LockedOutLocation';  Expression = {$_.Properties[1].Value}}
                  )
                                                    
                }#end ifevent
                
           }#end foreach lockedout event
           
        }#end process
       
    }#end function

    NA

    Wednesday, March 15, 2017 3:13 PM
  • it seems you are using Jason's script, detailed here

    https://blogs.technet.microsoft.com/heyscriptingguy/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user/

    the significant difference for your scenario, is you are trying to remotely execute this script. Jason's script and blog, don't describe a remoting scenario at all, so there are a few things "missing" (or perhaps "unspecified dependencies" is a better way to say that).

    Jason's script uses Powershell. by default, remote execution is blocked by various settings, including windows firewall. this is particularly important for a domain controller, and especially important for securing access to the security event log on a domain controller.

    are you sure you want to open up all that security (bypass all that security)?

    have you instead considered by original suggestion, referring to Ashley Mcglone's blog article? or, some other approach (event forwarding or some such)

    there are also several 3rd party products which offer such features (in case you would prefer to buy a solution rather than create one yourself)


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    Wednesday, March 15, 2017 8:26 PM
  • thanks for the wonderful explanation.

    Its just Value added i want to do for my environment, and i am aware of the 3rd party product.

    If this script will not work the way i am trying. Can you suggest or modify this script so that it works in all the window 7 system,

    thanks 


    NA

    Thursday, March 16, 2017 2:19 PM
  • thanks for the wonderful explanation.

    Its just Value added i want to do for my environment, and i am aware of the 3rd party product.

    If this script will not work the way i am trying. Can you suggest or modify this script so that it works in all the window 7 system,

    thanks 


    NA

    I don't think there's any problem with the script at all.
    The script should work perfectly fine, *IF* you remove all security on/around your DC.

    >>> are you sure you want to open up all that security (bypass all that security)?

    (I would not be comfortable doing that in my enterprise...)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, March 16, 2017 8:28 PM
  • Hello 

    Can you eloborate opening all security and ways of opening it, i would like explore on this.

    thanks


    NA

    Thursday, March 16, 2017 9:23 PM
  • Hi Masthanomatic,

    The error you are getting is consistent with what I have seen when searching the security log remotely with no Admin access on the DCs - that error does not mean that there were no results.

    I would remove the try/catch block around this part of the script:

     Write-Verbose "Querying event log on $($PDCEmulator.HostName)"
               $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending

    Good Luck!

    Shane

    Friday, March 17, 2017 1:47 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 21, 2017 9:15 AM
    Moderator
  • Hello 

    i did not any solution for this to install the ADDS in all Service Desk machine,

    So i decided that we can automate the script and send email on regular interval to email address of service desk member so that they can check that and trouble shoot


    NA

    • Marked as answer by Masthanomatic Monday, March 27, 2017 2:05 PM
    Monday, March 27, 2017 2:04 PM