none
Login monitoring - Powershell

    Question

  • Hi, the following script will connect to a computer and retrieve successful login attempts http://gallery.technet.microsoft.com/ScriptCenter/en-us/dd90d04f-5de5-4cf2-ad50-187701f3196c.  How can this be changed to monitor failed login attempts on Windows servers (2003, 2008) and send an email either daily or when a failure is detected? 

    Is there a better way to monitor the Windows security logs for failed login attempts and have them reported?

    The events I'm interested in are:

    529 - Unknown username or bad password
    531 - Account currently disabled
    535 - The specified accounts password has expired
    537 - An unexpected error occurred during logon
    539 - Account locked out

    Many thanks for your help!
    Wednesday, September 30, 2009 2:51 PM

Answers

  • Try this, and see if $entries has the data:

    $log

     

     

    = New-Object Diagnostics.eventlog "Security","Computer"

    $entries

     

     

    = $log.Entries |Where-Object {$_.EventID -eq 529 -or $_.EventID -eq 531 -or $_.EventID -eq 535 -or $_.EventID -eq 537 -or $_.EventID -eq 539 -and $_.Source -eq 'Security'}

    Karl

    Thursday, October 1, 2009 4:43 PM

All replies

  • Try this, and see if $entries has the data:

    $log

     

     

    = New-Object Diagnostics.eventlog "Security","Computer"

    $entries

     

     

    = $log.Entries |Where-Object {$_.EventID -eq 529 -or $_.EventID -eq 531 -or $_.EventID -eq 535 -or $_.EventID -eq 537 -or $_.EventID -eq 539 -and $_.Source -eq 'Security'}

    Karl

    Thursday, October 1, 2009 4:43 PM
  • I like scanning the netlogon.log  which is located in %winntdir%\debug folder. You can do a quick search on google to setup LOGON info ..just put in netlogon.log.

    It show you the machine that is locking out the account . Its much easier then messing with the security log but both can be used .


    With powershell you can do a regex against the log file for a certain user ID take those results and e-mail them :)) .



    My .02 cents

    Chris
    Wednesday, October 7, 2009 12:14 AM