Comments (22)
  1. Ed (DareDevil57) says:


  2. If you get RPC errors, in the first instance, update Get-WinEvent -ComputerName $PDC to Get-WinEvent -ComputerName $PDC.Name… after that, you’re on your own 😉

    1. Anonymous says:

      Thanks, This helped me so much after my account kept constantly locking out. This found the source of the issue and voila… all sorted now.

  3. Put it all on one line and then see if you get the same result…

  4. Anonymous says:

    Pingback from AD: Tracing the Source of Account Lockouts | MS Tech BLOG

  5. Me says:


  6. Brett Holden says:

    I've been looking for an easy way to do this for some time. This is spot-on, thanks

  7. Excellant and helped me to find the account lockout for DGM

  8. Mahesh Adate says:

    Dear Ian Farr,

    If possible, Please create a script file to download and execute.

  9. Joe says:

    Oh my god, just copy the content, paste it into notepad and save it.

    1. Andrew says:

      Should I just copy this as is and save it as a VBS?

  10. Greg D says:

    Tried to run this, but it just prints out ALL of the events form my PDC to the screen. Can't see anything relating to account lockouts or even related to the user account. Any ideas?

  11. Greg C says:

    Everything after "#Collect lockout events for user from last hour" is a single line

  12. Vinny says:

    What if we need to check before 15 to 20 days

  13. jbruns2010 says:

    Not only do we need machine, but what process on that machine. If it’s not obvious, it can be very hard to know.

  14. jbruns2010 says:

    We used to be able to use ALockout.dll in 2003 but it no longer works in 2008 and up.

  15. sreenivasa sarma says:

    my traces account is locked how to lockout

  16. Andy says:

    Hi, this script is brilliant thank you but it runs incredibly slow, does anybody else experience this or is it something I can remedy?

  17. rino19ny says:

    strange i couldn’t get that output:

    ProviderName: Microsoft-Windows-Security-Auditing

    TimeCreated Id LevelDisplayName Message
    ———– — —————- ——-
    11/30/2016 10:34:30 AM 4624 Information An account was successfully logged on….
    11/30/2016 10:34:30 AM 4768 Information A Kerberos authentication ticket (TGT) was requested….
    11/30/2016 10:34:30 AM 4634 Information An account was logged off….
    11/30/2016 10:34:30 AM 4634 Information An account was logged off….

  18. Wolfgang says:

    “Get-WinEvent : The specified query is invalid” 🙁

    1. Karl says:

      Same error for me

  19. Technicality says:

    What should you do when the “Source Host” is not a machine that exists in your AD or DNS? Can you make this give you the IP address from which the request came (for example, when an attacker used a proxy to relay authentication attempts)?

Comments are closed.

Skip to main content