I have been searching high and low for an answer, but I cannot seem to figure out why a few of our users keep getting locked out every 30 seconds. I unlock the account and then can watch the login attempts within seconds lock them out. I have tried tools like account lockout status and Netwrix, and I cannot find out what computer/service/task that is causing it. I did turn on netlogon logging, but it doesn't tell me which computer its coming from and it also doesn't say in the event viewer logs. Any help would be greatly appreciated!!!
I have put an example event, and netlogon line below:
Netlogon:
01/04 11:51:07 [LOGON] [20280] DOMAIN: SamLogon: Transitive Network logon of (null)\John Jones from (via WEB-SERVER) Returns 0xC000006A (there is nothing after from)
Event:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Do you use LDAP integrated applications?
Advise those end users to clear browser cache (if not already) - if Windows users, clear credentials in:
Credential Manager->Windows Credentials->Delete all entries under "Generic Credentials"
Does your organisation authenticate users who connect to corporate WiFi using AD? If so check that the end users mobiles/tablet devices have been configured with the new password, best way to do this is to forget the connection and re connect using new credentials.
We've had very similar issues in the past and resolved doing the above.
I have recently done this for myself.
The script can show you the timestamp, username, machine name where the lockout event is being originated.
Here is code:
# Set default parameters and variables
param (
[string]$DomainName = $env:USERDOMAIN,
[string]$UserName = "*",
[datetime]$StartTime = (Get-Date).AddDays(-3)
)
# check if current powershell version is 4 or higher
if ($Host.Version.Major -lt "4") {
Write-Host "`n`nError: You need at least version 4 PowerShell for logging to work, `nCurrent version:"$Host.Version.Major -BackgroundColor Red -ForegroundColor white
Write-Host "`nBefore you start using this script, please upgrade your PowerShell from Microsoft website!" -BackgroundColor Yellow -ForegroundColor Black
Read-Host "`n`nScript execution finished, press enter to exit!"
Exit
}
# Grab the information about your AD forest
$Forest = [system.directoryservices.activedirectory.Forest]::GetCurrentForest()
# Get list of all domain controllers in the forest
$DC = $Forest.domains | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
# Prompt user to enter a pacific username or accept default (which means look for all locked out events)
Write-Host "`n`nEnter a UserName to search user specific locked out events `n`nOR `n`nPress enter to search all locked out usernames!" -BackgroundColor Yellow -ForegroundColor Black
sleep 3
$TestName = Read-Host "`nPlease enter a UserName or Press enter"
if ($TestName -ne $null -and $TestName) {[string]$UserName = $TestName}
Write-Host "`nScript will search for locked out events on the following domain controllers..." -BackgroundColor Gray -ForegroundColor Black
$dc
# Search for locked out event of each DC and store them in variable
$dc | foreach {
Write-Host "`nChecking for locked out events on $_, please wait..." -BackgroundColor Gray -ForegroundColor Black
$OutPut = Invoke-Command ($_) {
$ErrorActionPreference = "SilentlyContinue"
Get-WinEvent -FilterHashtable #{LogName='Security';Id=4740;StartTime=$Using:StartTime} |
Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |
Select-Object -Property TimeCreated,
#{Label='UserName';Expression={$_.Properties[0].Value}},
#{Label='ClientName';Expression={$_.Properties[1].Value}}
$ErrorActionPreference = "Continue"
} | Select-Object -Property TimeCreated, 'UserName', 'ClientName' |Out-Host
if ($OutPut -eq $null -and !$OutPut) {Write-Host "`nWarning: No lockout events were found!`nContinuing the search..." -BackgroundColor Yellow -ForegroundColor Black}
else {$OutPut}
}
Related
I'm going to use Dbatools to check my job is running or not. If it isn't running I need to send out an email alert.
I only have a few backgrounds with PowerShell programming.
# Import-Module D:\Tools\dbatools\dbatools.psd1 if it isn't loaded
If ( ! (Get-module dbatools )) {
Import-Module D:\Tools\dbatools\dbatools.psd1
}
# Get the job status
Get-DbaAgentJob -SqlInstance My_SQL_Instance -Job My_Job_Name | Out-File C:\DBA\Result.txt
# Send the email alert if the job is not running
Send-MailMessage -From My_Email_Address -Subject "My_Job_Name job is not running..." -To User_Email_Address -Attachments C:\DBA\Result.txt -Body "The MiantoEDW replication job is not running..." -BodyAsHtml -SmtpServer My_SmtpServer
I need to verify the property of CurrentRunStatus to determine to send an email alert or not.
I would do something like the following:
$jobStatus = Get-DbaAgentJob -SqlInstance My_SQL_Instance -Job My_Job_Name
$jobStatus | Select-Object Name,CurrentRunStatus | Export-Csv C:\DBA\Result.csv -NoTypeInformation
if ($jobStatus.CurrentRunStatus -ne "Executing") {
# Run some code if job is not running
Send-MailMessage -From My_Email_Address -Subject "My_Job_Name job is not running..." -To User_Email_Address -Attachments C:\DBA\Result.csv -Body "The MiantoEDW replication job is not running..." -BodyAsHtml -SmtpServer My_SmtpServer
}
else {
# Run some code if job is running
}
Get-DbaAgentJob doesn't display the CurrentRunStatus property by default. You will need to retrieve it, which is done by Select-Object CurrentRunStatus. Since the command outputs an object, I chose to use Export-Csv to export a cleaner output that aligns the object properties and values. $jobStatus stores the output of the Get-DbaAgentJob command. Accessing the $jobStatus.CurrentRunStatus property for value Executing will verify if a job is currently running.
I've not used dbatools but I assume the CurrentRunStatus is available in the Result.txt file you're outputting to?
If so, assign the result of Get-DbaAgentJob to a variable and then Out-File from that variable. Then access the CurrentRunStatus property from the variable to determine whether or not to send the alert.
I am very new to Powershell and in learning stage, I have tried to create an script to do automate below task. This script is not working as i am expected. Could you please review it and give me some help on it.
My task is,
I am trying to find out SQL Services (more than one SQL services in multiple servers) which are in stopped state and trying to start it, Waiting for an minute to complete the service start and verifying the service status again. If still it is stopped state i am trying to sending an email to setup of people for an action.
Could you please review the below code and correct the mistake, i tried to find it but unable to do
#Define servers & Services Variables
$Servers = GC "E:\Bhanu\SQLServer.txt"
$Services = GC "E:\Bhanu\SQLService.txt"
#Function Call
Function ServiceStatus ($Servers, $Services)
{
foreach ($Server in $Servers)
{
foreach ($Service in $Services)
{
$Servicestatus = get-service -ComputerName $Server -Name $Service
if ($Servicestatus.Status -eq "Stopped")
{
Start-service $Service
Start-Sleep -Seconds 60
$ServiceStatus1 = Get-Service -ComputerName $Server -Name $Service
if ($Servicestatus1.Status -eq "Stopped")
{
FuncMail -To “abc#gmail.com” -From “abc#gmail.com” -Subject $Server + $Service "fails to Start, Take immediate Action to avoid Impact” -Body $ServiceName "Service fails to Start, Take immediate Action to avoid Impact” -smtpServer “servername”
}
}
}
}
}
function FuncMail
{
#param($strTo, $strFrom, $strSubject, $strBody, $smtpServer)
param($To, $From, $Subject, $Body, $smtpServer)
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = $From
$msg.To.Add($To)
$msg.Subject = $Subject
$msg.IsBodyHtml = 1
$msg.Body = $Body
$smtp.Send($msg)
}
servicestatus $Servers $Services
Please let me know if you need anything here from my end
Hi this isn't the best approach and i'm doing it in quick way.
note %=foreach-object; ?=Where-Object.
You have to save your password on one file if your smtp-server require authentication otherwise don't run it using read-host -assecurestring | convertfrom-securestring | out-file "C:\Secure\Password.txt"
I'm also assuming you have your servers saved on one file.
My solution is to start all sql server service if you want to start specific just save the service name on one file on separate line.
The code to execute bellow.
#Loading Server and service details
$Services=Get-content C:\PS\Service.txt
$servidores=get-content C:\PS\Servers\Servers.txt
#Loading Mail credential
$Mailpasswordpath="C:\PS\Securestring.txt"
$Mailusername="DOmain\User"
$password=cat $Mailpasswordpath |ConvertTo-Securestring
$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Mailusername,$password
$servidores|Foreach-Object{Get-Service -ComputerName $_ -Name $Services }| #Get the services running on all servers
Where-Object{$_.Status -eq "Stopped"}| #Which status is equal stopped
Foreach-Object{
$_.Start(); #try to start
Start-Sleep -Seconds 60; #wait one minute
$_.Refresh(); #refresh then service to update status
#validate is status still stopped
if($_.Status -eq "Stopped")
{
#LOADING Mail details
$To="user#domain.com"
$subject="$($_.MachineName) $($_.Name) fails to Start, Take immediate Action to avoid Impact"
$From="ServiceStatus#domain.com"
$smtp="Server.domain.com"
$body="$($_.Name) Service fails to Start, Take immediate Action to avoid Impact"
#Sending email to notify
Send-MailMessage -To $To -Subject $subject -From $From -SmtpServer $smtp -Body $body -Credential $Cred
}
}
P.S: It's not the best approach I only decide to solve this problem. if you want we can create a function together later just test it first.
Good Morning, Good Afternoon, Good Evening, or Goodnight!
I'm trying to undertake a project for my internship. The purpose of the script is how to search for lockout events for a specific user within certain (given) time constraints throughout the different security logs.
$ComputerName =
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController().Name
$EventList = Get-Eventlog –ComputerName $ComputerName -LogName Security
-InstanceID 4740 -Message *Username*
$EventList | Format-List -Property TimeGenerated,Message
So I'm curious on how to use the date class to output error messages from a specific date. For example, if I want to only view error messages from 5/05/2014 to 5/20/2014. Also as far as how to loop through each of the Domain Controllers on our network. I figure it'd be easy to just set up some type of loop construct for that. (Once I know the proper syntax)
So there's my code initially. If you would like a similiar code for your own jolly kicks to find whatever type of error you'd like, then take this.
$ComputerName = "REPLACEWITHYOURCOMPUTERNAME"
$EventList = Get-Eventlog –ComputerName $ComputerName -LogName Security -Message *REPLACEWITHYOURUSERNAME*
$EventList | Format-List -Property TimeGenerated,Message
To search for 2 days ago max:
Get-EventLog -LogName Security -After ((Get-Date).AddDays(-2))
To search yesterday only:
Get-EventLog -LogName Security -After ((Get-Date).AddDays(-2)) -Before ((Get-Date).AddDays(-1))
I think you should grasp the idea by now. Of course, for a final script to be functional you would have to wrap it around in parameters and so on.
Edit: You also asked how to create a loop.
Example:
$ComputerList = Get-Content ComputerList.txt
foreach ($Computer in $Computerlist) {
Get-EventLog -Logname Security -Computername $Computer
Write-host "$Computer has been checked"
}
As a side note for several-DC environment this is going to be nasty network-killer script. Parsing Event logs remotely is generally a bad idea. Instead, think about Invoke-Command to launch the queries and wait until DCs send you the output. This way they are executed locally and all you receive is an output. Much faster in general in conjunction with Start-Job for example.
Is there a way to create a web site with Release Management v12 that will include a host header option?
My goal is to be able to host multiple sites on a single server, all binding to port 80 with different host headers. i.e. http://project1.development.local/, http://project2.development.local/
I'm able to create a web site with a host header from the AppCmd.exe, yet this requires an administration rights. Thought about using powershell, yet a UAC prompt will be triggered.
For right now, I'm having to manually create the server's web site to include the host header and I'd like to have a totally automated release process.
TIA!
There's nothing in-the-box for it, but as luck would have it, I've hacked something together to handle site bindings:
param(
$SiteName=$(throw "Site Name must be entered"),
$HostHeader,
$IpAddress,
$Port,
$RemoveDefault=$(throw "You must specify true or false")
)
Import-Module WebAdministration
try {
$bindingExists = (Get-WebBinding "$SiteName" -Port "$Port" -Protocol "http" -HostHeader "$HostHeader" -IPAddress "$IpAddress")
if (!$bindingExists) {
Write-host "Creating binding for $SiteName : Host header $HostHeader and IP Address $IpAddress"
New-WebBinding "$SiteName" -Port $Port -Protocol "http" -HostHeader "$HostHeader" -IPAddress "$IpAddress"
}
else {
Write-host "Site $SiteName already has binding for host header $HostHeader and IP Address $IpAddress"
}
if ($RemoveDefault -eq "true") {
$defaultBinding = Get-WebBinding "$SiteName" | where {$_.bindingInformation -eq "*:80:" }
if ($defaultBinding -ne $null) {
Write-Host "Default binding exists... removing."
$defaultBinding | Remove-WebBinding
}
else {
Write-Host "Default binding does not exist"
}
}
}
catch {
Write-host $_
exit 1
}
exit 0
You can create a custom tool in RM to leverage this script, just pass it the parameters specified in the param block.
You should never have to use AppCmd.exe... If the built-in tools don't meet your needs, the WebAdministration PowerShell module should be able to do everything else.
We are trying to find from which machine a user has taken rdp .
Using "quser" utility we are able to get all the information about logged in user except client name.
Following is the command
function Get-LoggedOnUser
{
param([String[]]$ComputerName = $env:COMPUTERNAME)
$ComputerName | ForEach-Object {
(quser /SERVER:$_) -replace '\s{2,}', ',' |
ConvertFrom-CSV |
Add-Member -MemberType NoteProperty -Name ComputerName -Value $_ -PassThru
}
}
It displays all the information which can be provided in Windows task manager except client Name .
How to get client Name using powershell?
I doubt if WMI has a way to do this. You can check the PSTerminal Services module and it has a Get-TSSession cmdlet which does the same job you are looking for.
http://archive.msdn.microsoft.com/PSTerminalServices
This module uses binary Cassia namespace.
You can use this:
http://gallery.technet.microsoft.com/scriptcenter/0e43993a-895a-4afe-a2b2-045a5146048a
and look for the logged on user with a logon type of RemoteInteractive
You can read that information from the Security eventlog (look for logon type 10):
$username = '...'
$eventID = 4624 # 526 on Server 2003 and earlier
$date = (Get-Date).Date
$pattern = 'logon type:\s+10[\s\S]+source network address:\s+(\S+)'
Get-EventLog Security -InstanceId $eventID -EntryType SuccessAudit `
-After $date -Message '*$username*' `
| ? { $_.Message -match $pattern } `
| % { $matches[1] } `
| select -Unique
Note that on Server 2003 and earlier you need to check for event ID 528 instead of 4624.
References:
http://technet.microsoft.com/en-us/library/cc787567
http://support.microsoft.com/kb/977519