Worklet: Get-FailedLogons

  • 5 October 2020
  • 0 replies
  • 31 views

   ______     __        ______      _ __         ____                                
/ ____/__ / /_ / ____/___ _(_) /__ ____/ / / ____ ____ _____ ____ _____
/ / __/ _ \/ __/_____/ /_ / __ `/ / / _ \/ __ / / / __ \/ __ `/ __ \/ __ \/ ___/
/ /_/ / __/ /_/_____/ __/ / /_/ / / / __/ /_/ / /___/ /_/ / /_/ / /_/ / / / (__ )
\____/\___/\__/ /_/ \__,_/_/_/\___/\__,_/_____/\____/\__, /\____/_/ /_/____/
/____/
https://github.com/bragdonjm/PS-Automox-Worklets/blob/main/Worklets/Get-FailedLogons.ps1

Computer not connected to Activate Directory can have issues reporting failed login attempts. Through Automox Worklets, you can
now query batches of remote Windows computers running Automox for any failed logins attempts. A nicely formated table including
the most relevent metadata is returned.

Note:
- This script must be run as admin.
To access the security log, you must run this through a privledges powerhsell prompt.

- Verbose is supported.

Usage:
Example: ./Get-FailedLogons.ps1

Total number of events: 1

TargetAccount LogonType CallingComputer IPAddress TimeStamp
------------- --------- --------------- --------- ---------
Guest Network REDQUEEN - 9/24/2020 3:50:24 PM


Faq:
Q: Can you change the event ID?
A: -eventId Parameter is offered but really should not be changed. This script is expecting a specific output that may not process
well with a different event ID.



0 replies

Be the first to reply!

Reply