Power shell command to find account lockout origin of an AD user

Power shell command to find  account lockout origin of an AD user






 PowerShell command to find the origin of account lockout in a simpleway.Event id’ is different in 2003 and 2008 DC’s-
 

• User Account lockout event:644 (for 2003 DC)

Get-EventLog security -computername “Domaincontrollername” | Where {($_.EventID -eq '644') -and ($_.Message -like '*userID*') } |fl

• User Account lockout event:4740 (for 2008 DC)

Get-EventLog security -computername “Domaincontrollername” | Where {($_.EventID -eq '4740') -and ($_.Message -like '*userID*') } |fl

• Command to export the details in a CSV file.

Get-EventLog security -computername “Domaincontrollername” | Where {($_.EventID -eq '4740') -and ($_.Message -like '*userID*') } | Export-Csv "c:\Temp\Lockoutevents.csv"

-------------------------------------------------------------------------------------------

http://gallery.technet.microsoft.com/scriptcenter/Account-lockout-5eb1fbab