powershell - 是否有显示实际机器的 AD 锁定脚本

这将返回一个 PsObjects 数组，其中：

• 属性TargetUserName保存被锁定的用户 SamAccountName
• 属性TargetDomainName包含锁定源自的计算机名称
• 属性EventDate将显示锁定发生的时间和日期

代码：

# get the domain controller that has the PDC Emulator Role
$pdc = (Get-ADDomain).PDCEmulator
$splat = @{
    FilterHashtable = @{LogName="Security";Id=4740}
    MaxEvents       = 100
    ComputerName    = $pdc
    Credential      = Get-Credential -Message "Please enter credentials for '$pdc'"
}

$lockedOut = Get-WinEvent @splat | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # create an ordered hashtable object to collect all data
    # add some information from the xml 'System' node first
    $evt = [ordered]@{
        EventDate = [DateTime]$eventXml.System.TimeCreated.SystemTime
        Level     = [System.Diagnostics.Tracing.EventLevel]$eventXml.System.Level
    }
    # next see if there are childnodes under 'EventData'
    if ($eventXml.EventData.HasChildNodes) {
        $eventXml.EventData.ChildNodes | ForEach-Object { 
            $name = if ($_.HasAttribute("Name")) { $_.Name } else { $_.LocalName }
            $value = $_.'#text'

            if ($evt[$name]) { 
                # if an item with that name already exists, make it an array and append
                $evt[$name] = @($evt[$name]) + $value
            }
            else { $evt[$name] = $value }
        }
    }
    # output as PsCustomObject. This ensures the $result array can be written to CSV easily
    [PsCustomObject]$evt
}

# output on screen
$lockedOut | fl *

# output to csv file
$lockedOut | Export-Csv -Path 'D:\lockedout.csv' -NoTypeInformation

例如，如果您想搜索特定用户 (SamAccountName)，只需执行

$lockedOut | Where-Object { $_.TargetUserName -eq 'UserSamAccountName' }

希望有帮助