版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/LeoForBest/article/details/85028874
Import-Module ActiveDirectory
# 查找PDCEmulator角色所在的域控账号锁定日志
$PDC = Get-ADDomainController -Filter * | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"}
function GetLockedDetails($events)
{
$ret = $events | Select-Object -Property @(
@{Label = '用户名'; Expression = {(Get-ADUser -Identity $_.Properties[2].value).Name}}
@{Label = '域账号'; Expression = {$_.Properties[0].Value}}
@{Label = '锁定源计算机'; Expression = {$_.Properties[1].Value}}
@{Label = '锁定时间'; Expression = {$_.TimeCreated}}
@{Label = '域控'; Expression = {$_.MachineName}}
@{Label = '事件信息'; Expression = {$_.Message -split "`r" | Select -First 1}}
)
return $ret
}
$LockedOutEvents = Get-WinEvent -ComputerName $PDC.HostName -FilterHashtable @{LogName='Security'; Id=4740}
$ExportPath = "$env:USERPROFILE\Desktop\$(Get-Date -Format "yyyy-MM-dd-HH-mm")-lockedinfo.csv"
GetLockedDetails -events $LockedOutEvents | Export-Csv -Path $ExportPath -Encoding UTF8 -NoTypeInformation