If you have applied the script in Audit users' lock out events with Powershell (Part I), you can retrieve resulting logs with this other script that easily shows how many locks users have suffered and from what computers.
$line= "-" * 50
do{
$array=@()
$count=0
$logspath="\\SERVERDC03\c$\scheduledstasks"
$logfile=gci("$logspath\*.txt")|sort lastwritetime -desc
$logfile|%{write-host "$count $($_.name)" -fore cyan;$count++}
write-host $line -fore yellow
$lognum=read-host "Num log to check? (empty=all)"
if ($lognum -ne "exit")
{
if($lognum -eq ""){$logfileselected=$logfile}
else{$logfileselected=$logfile[$lognum]}
$content=get-content($logfileselected)
$content|%{
$field=$_.split(" ")
$array+= New-Object -TypeName PSObject -Property @{
strdate= $field[0]
username= $field[1]
computer=$field[2]
}#end object
}#end foreach
do{
write-host $line -fore yellow
$username=read-host "Username to check? (empty=all)"
$usrexist=$array|?{$_.username -eq $username}
if ($usrexist -eq $null){$usrlist=$array|group username|?{$_.name -match $username}|sort name|ft count,name -auto}
else{$usrlist=$array|group username|?{$_.name -eq $username}|sort name|ft count,name -auto}
$usrlist
if ($usrlist.count -eq 5)
{
#result is 1 user only
$array|?{$_.username -match $username}|sort strdate -desc|ft strdate, computer -auto
}
}while ($username -ne "exit")
}#end if lognum exit
}while($lognum -ne "exit")
Comments
Post a Comment