Query false registrations
In order to find out how many false registrations a user or computer has initiated in total on all domain controllers, we run the following Powershell scripts.
AD FAQ template used and adapted.
$ DCs = Get-ADComputer -Filter 'primarygroupid -eq “516”' -Properties Name | Select-Object -ExpandProperty Name
# $ DCs = (Get-ADForest) .GlobalCatalogs
$ samAccountName = Read host “Computer name?”
$ badpwdcount = 0
$ badpwdtime = New-Object System.DateTime
foreach ($ dc in $ dcs) {
$ computer = Get-ADComputer $ samAccountName -Server $ dc -properties badPwdCount, badPasswordTime
$ badpwdcount + = $ computer.badPwdCount
$ computerBadPwdTime = [datetime] :: fromFileTime ($ computer.badPasswordTime)
if ($ badpwdtime -lt $ computerBadPwdTime) {
$ badpwdtime = $ computerBadPwdTime
}
}
if ($ badpwdtime -ne (New-Object System.DateTime)) {
$ bptString = $ badpwdtime.ToString (“dd.MM.yyyy HH: mm: ss”)
} Else {
$ bptString = "-"
}
Write-Host (“User:” + $ samAccountName + “- Failed logons:” + $ badpwdcount + ”- Last failed attempt on:” + $ bptString)
$ DCs = Get-ADComputer -Filter 'primarygroupid -eq “516”' -Properties Name | Select-Object -ExpandProperty Name
$ samAccountName = Read host “Username?”
$ badpwdcount = 0
$ badpwdtime = New-Object System.DateTime
foreach ($ dc in $ dcs) {
$ user = Get-ADUser $ samAccountName -Server $ dc -properties badPwdCount, badPasswordTime
$ badpwdcount + = $ user.badPwdCount
$ userBadPwdTime = [datetime] :: fromFileTime ($ user.badPasswordTime)
if ($ badpwdtime -lt $ userBadPwdTime) {
$ badpwdtime = $ userBadPwdTime
}
}
if ($ badpwdtime -ne (New-Object System.DateTime)) {
$ bptString = $ badpwdtime.ToString (“dd.MM.yyyy HH: mm: ss”)
} Else {
$ bptString = "-"
}
Write-Host (“User:” + $ samAccountName + “- Failed logons:” + $ badpwdcount + ”- Last failed attempt on:” + $ bptString)
