BadUserCount

badPwdCount User Computer

Lesedauer < 1 Minute

Falschanmeldungen abfragen

Um herauszufinden wie viele Falschanmeldungen ein User oder Computer insgesamt auf allen Domain-Controllern initiiert hat, führen wir folgendes Powershell-Skripte aus.

Vorlage von AD-FAQ genutzt und angepasst.

Query Computer badPwdCount

$DCs = Get-ADComputer -Filter ‘primarygroupid -eq “516”‘ -Properties Name | Select-Object -ExpandProperty Name
#$DCs = (Get-ADForest).GlobalCatalogs
$samAccountName = Read-Host “Computername?”
$badpwdcount = 0
$badpwdtime = New-Object System.DateTime

foreach($dc in $dcs) {
$computer = Get-ADComputer $samAccountName -Server $dc -properties badPwdCount,badPasswordTime
$badpwdcount += $computer.badPwdCount

$computerBadPwdTime = [datetime]::fromFileTime($computer.badPasswordTime)

if($badpwdtime -lt $computerBadPwdTime) {
$badpwdtime = $computerBadPwdTime
}
}

if($badpwdtime -ne (New-Object System.DateTime)) {
$bptString = $badpwdtime.ToString(“dd.MM.yyyy HH:mm:ss”)
} else {
$bptString = “-”
}

Write-Host(“User: ” + $samAccountName + “- Fehlgeschlagene Logons: ” + $badpwdcount + ” – Letzter fehlgeschlagener Versuch am: ” + $bptString)

Query User badPwdCount

$DCs = Get-ADComputer -Filter ‘primarygroupid -eq “516”‘ -Properties Name | Select-Object -ExpandProperty Name
$samAccountName = Read-Host “Username?”
$badpwdcount = 0
$badpwdtime = New-Object System.DateTime

foreach($dc in $dcs) {
$user = Get-ADUser $samAccountName -Server $dc -properties badPwdCount,badPasswordTime
$badpwdcount += $user.badPwdCount

$userBadPwdTime = [datetime]::fromFileTime($user.badPasswordTime)

if($badpwdtime -lt $userBadPwdTime) {
$badpwdtime = $userBadPwdTime
}
}

if($badpwdtime -ne (New-Object System.DateTime)) {
$bptString = $badpwdtime.ToString(“dd.MM.yyyy HH:mm:ss”)
} else {
$bptString = “-”
}

Write-Host(“User: ” + $samAccountName + “- Fehlgeschlagene Logons: ” + $badpwdcount + ” – Letzter fehlgeschlagener Versuch am: ” + $bptString)