Now that we’ve covered what should be a part of your daily Active Directory groups hygiene, let’s see what should be the top reports to run on users.
One thing that happens in every Active Directory domain daily is user accounts locking out. It is a good practice to have a reasonable Account Lockout policy in place. Most of the time there is a legit explanation behind every account lockout. For example, it can be user’s mail application on mobile device that is using old password. Or a mapped network drive on user’s desktop that is trying to connect to a file share every time the desktop operating system reboots. But sometimes locked out user accounts can signify a potential brute force attack happening right in front of your eyes. So, how do you review account lockouts and pinpoint ones that should be given more thorough investigation?
For starters, here is a simple PowerShell command that will return all locked out accounts in the domain:
Search-ADAccount –LockedOut
It is beautifully simple but has one downside. It shows a fixed set of attributes for every locked out user account. This information might not be enough to weigh in the severity of each lockout.
To solve this problem, we are calling out another more flexible way of retrieving user account lockouts using the Get-ADUser command let:
Get-ADUser -Filter * -Properties SamAccountName,LastBadPasswordAttempt,badPwdCount, LockedOut | Where{$_.LockedOut-eq $true} | Select-Object SamAccountName,LastBadPasswordAttempt,badPwdCount
In this one liner we have control over the set of attributes that will be shown for every locked user account. In particular we are pulling the following attributes:
- SamAccountName
- LastBadPasswordAttempt
- badPwdCount
The first two attributes are self explanatory and they just give you some basic context. The badPwdCount attribute is the crown jewel. This attribute keeps counting the number of failed bad password attempts before user successfully logs on. If this attribute value does not go well beyond max failed password attempts setting in your Account Lockout Policy, then it is probably a poor user that has forgotten his password. If, on the other hand, this count keeps growing from one account lockout to another it can indicate something more serious going on in your network.
Another bit of information that is very helpful in troubleshooting account lockouts is the computer where bad password logon attempts are coming from. Unfortunately, Active Directory does not store this information. To obtain it you can try using scripts that pull this data from event logs or, better yet, rely on products that do that all for you automatically – e.g. SecureHero Logon Reporter.
<< Active Directory User and Group Reporting: A practical guide for administrators