Import-Module ActiveDirectory
# 查找PDCEmulator角色所在的域控账号锁定日志
$PDC = Get-ADDomainController -Filter * | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"}
function GetLockedDetails($events)
{
$ret = $events | Select-Object -Property @(
@{Label = '用户名'; Expression = {(Get-ADUser -Identity $_.Properties[2].value).Name}}
@{Label = '域账号'; Expression = {$_.Properties[0].Value}}
@{Label = '锁定源计算机'; Expression = {$_.Properties[1].Value}}
@{Label = '锁定时间'; Expression = {$_.TimeCreated}}
@{Label = '域控'; Expression = {$_.MachineName}}
@{Label = '事件信息'; Expression = {$_.Message -split "`r" | Select -First 1}}
)
return $ret
}
$LockedOutEvents = Get-WinEvent -ComputerName $PDC.HostName -FilterHashtable @{LogName='Security'; Id=4740}
$ExportPath = "$env:USERPROFILE\Desktop\$(Get-Date -Format "yyyy-MM-dd-HH-mm")-lockedinfo.csv"
GetLockedDetails -events $LockedOutEvents | Export-Csv -Path $ExportPath -Encoding UTF8 -NoTypeInformation
PowerShell导出域控账户锁定日志
最新推荐文章于 2024-03-11 08:27:14 发布