To find account lockout events on multiple domain controllers, download logparser 2.2 and execute the following command in a domain admin context (e.g. runas user:domain\administrator logparser.exe), where the part below the command is in "lockouts.sql". The account lockout event is 644 -- if you need to find others, read Microsoft's KB174074 Also, this script will access each domain controller's security event log sequentially, so if you're in a hurry, execute several different logparser processes for each domain controller.
logparser.exe file:c:\scripts\logparser\lockouts.sql -i:EVT -o:datagrid
------stick this part in lockouts.sql
SELECT
timegenerated AS LogonTime,
extract_token(strings, 0, '|') AS UserName,
message as Message
FROM \\domaincontroller1\security, \\domaincontroller2\security, \\domaincontrolle2\Security
WHERE EventID = 644
-----end here
If you want the output to go into a database instead of a datagrid (Excel-type) table, make the logparser command look like this:
logparser.exe file:c:\scripts\logparser\lockouts.sql -o:SQL -server:myDBservername driver:"SQL Server" -database:myDBname -createtable:ON
Table name will end up matching your dbname. Set -createtable to off after you run it once.
Props to: Microsoft's Log Parser Toolkit, by Gabriele Giuseppini and Mark Burnett.
If you're going to be doing anything with windows logs, buy the book. It's more useful than several log management software packages I've demo'ed.
Download Log Parser here.
나누미 검증 추천 | 바둑이사이트 현금바둑이 딱 2곳만 추천 가장 안전하고 정직하며 신속한 바둑이사이트를 메이저 중에서도 메이저로 만나실 수 있습니다 한국을 대표하는 바둑이게임 더 이상의 바둑이사이튼 절대 없습니다 먹튀검증사이트 나누미 추천은 정확합니다 자세한 내용은 웹 사이트를 방문하십시오 현금바둑이.
ReplyDelete