It is important to know about the failed login attempts to the DC, not just the successful attempts. These can be a result of potentially malicious activity.
The following script will create a report to indicate the login failures on given domain controller:
## Report for DC login Faliures ##
$failedevent = $null
$Date= Get-date
$dc = Read-Host 'What is the Domain Controller ?'
$Report= "C:auditreport.html"
$HTML=@"
<title>Failed Login Report for $dc</title>
<style>
BODY{background-color :LightBlue}
</style>
"@
$failedevent = Get-Eventlog security -Computer $dc -InstanceId 4625 -After (Get-Date).AddDays(-7) |
Select TimeGenerated,ReplacementStrings |
% {
New-Object PSObject -Property @{
SourceComputer = $_.ReplacementStrings[13]
UserName = $_.ReplacementStrings[5]
SourceIPAddress = $_.ReplacementStrings[19]
Date = $_.TimeGenerated
}
}
$failedevent | ConvertTo-Html -Property SourceComputer,UserName,SourceIPAddress,Date -head $HTML -body "<H2>Failed Login Report for $dc</H2>"|
Out-File $Report
Invoke-Expression C:auditreport.html
The aforementioned script is displayed in an easy way for readers to understand. When it is used in PowerShell make sure to prevent extra line spaces.
When you run the preceding script, it will ask the domain controller that you wish to run this report against. Then, in the background, it will search for event 4625 in the event viewer and then list the following data in a report:
- The source computer
- Username
- The source IP address
- Event time
The following screenshot shows the failed report for REBEL-PDC-01:
