BadUserCount

badPwdCount User Computer

Reading time <1 Minute

Query false registrations

In order to find out how many false registrations a user or computer has initiated in total on all domain controllers, we run the following Powershell scripts.

AD FAQ template used and adapted.

Query Computer badPwdCount

$ DCs = Get-ADComputer -Filter 'primarygroupid -eq “516”' -Properties Name | Select-Object -ExpandProperty Name
# $ DCs = (Get-ADForest) .GlobalCatalogs
$ samAccountName = Read host “Computer name?”
$ badpwdcount = 0
$ badpwdtime = New-Object System.DateTime

foreach ($ dc in $ dcs) {
$ computer = Get-ADComputer $ samAccountName -Server $ dc -properties badPwdCount, badPasswordTime
$ badpwdcount + = $ computer.badPwdCount

$ computerBadPwdTime = [datetime] :: fromFileTime ($ computer.badPasswordTime)

if ($ badpwdtime -lt $ computerBadPwdTime) {
$ badpwdtime = $ computerBadPwdTime
}
}

if ($ badpwdtime -ne (New-Object System.DateTime)) {
$ bptString = $ badpwdtime.ToString (“dd.MM.yyyy HH: mm: ss”)
} Else {
$ bptString = "-"
}

Write-Host (“User:” + $ samAccountName + “- Failed logons:” + $ badpwdcount + ”- Last failed attempt on:” + $ bptString)

Query user badPwdCount

$ DCs = Get-ADComputer -Filter 'primarygroupid -eq “516”' -Properties Name | Select-Object -ExpandProperty Name
$ samAccountName = Read host “Username?”
$ badpwdcount = 0
$ badpwdtime = New-Object System.DateTime

foreach ($ dc in $ dcs) {
$ user = Get-ADUser $ samAccountName -Server $ dc -properties badPwdCount, badPasswordTime
$ badpwdcount + = $ user.badPwdCount

$ userBadPwdTime = [datetime] :: fromFileTime ($ user.badPasswordTime)

if ($ badpwdtime -lt $ userBadPwdTime) {
$ badpwdtime = $ userBadPwdTime
}
}

if ($ badpwdtime -ne (New-Object System.DateTime)) {
$ bptString = $ badpwdtime.ToString (“dd.MM.yyyy HH: mm: ss”)
} Else {
$ bptString = "-"
}

Write-Host (“User:” + $ samAccountName + “- Failed logons:” + $ badpwdcount + ”- Last failed attempt on:” + $ bptString)