Falschanmeldungen abfragen
Um herauszufinden wie viele Falschanmeldungen ein User oder Computer insgesamt auf allen Domain-Controllern initiiert hat, führen wir folgendes Powershell-Skripte aus.
Vorlage von AD-FAQ genutzt und angepasst.
$DCs = Get-ADComputer -Filter ‘primarygroupid -eq “516”‘ -Properties Name | Select-Object -ExpandProperty Name
#$DCs = (Get-ADForest).GlobalCatalogs
$samAccountName = Read-Host “Computername?”
$badpwdcount = 0
$badpwdtime = New-Object System.DateTime
foreach($dc in $dcs) {
$computer = Get-ADComputer $samAccountName -Server $dc -properties badPwdCount,badPasswordTime
$badpwdcount += $computer.badPwdCount
$computerBadPwdTime = [datetime]::fromFileTime($computer.badPasswordTime)
if($badpwdtime -lt $computerBadPwdTime) {
$badpwdtime = $computerBadPwdTime
}
}
if($badpwdtime -ne (New-Object System.DateTime)) {
$bptString = $badpwdtime.ToString(“dd.MM.yyyy HH:mm:ss”)
} else {
$bptString = “-”
}
Write-Host(“User: ” + $samAccountName + “- Fehlgeschlagene Logons: ” + $badpwdcount + ” – Letzter fehlgeschlagener Versuch am: ” + $bptString)
$DCs = Get-ADComputer -Filter ‘primarygroupid -eq “516”‘ -Properties Name | Select-Object -ExpandProperty Name
$samAccountName = Read-Host “Username?”
$badpwdcount = 0
$badpwdtime = New-Object System.DateTime
foreach($dc in $dcs) {
$user = Get-ADUser $samAccountName -Server $dc -properties badPwdCount,badPasswordTime
$badpwdcount += $user.badPwdCount
$userBadPwdTime = [datetime]::fromFileTime($user.badPasswordTime)
if($badpwdtime -lt $userBadPwdTime) {
$badpwdtime = $userBadPwdTime
}
}
if($badpwdtime -ne (New-Object System.DateTime)) {
$bptString = $badpwdtime.ToString(“dd.MM.yyyy HH:mm:ss”)
} else {
$bptString = “-”
}
Write-Host(“User: ” + $samAccountName + “- Fehlgeschlagene Logons: ” + $badpwdcount + ” – Letzter fehlgeschlagener Versuch am: ” + $bptString)