none
Bad Password Resets RRS feed

  • Question

  • I'm still a newby when it comes to scripting, and need assistance with the following:

    • Query AD to retrieve information in regards to all users with bad password attempts for the last 5 days .
    • The output should then be exported to my local drive as a csv file.

    Can someone please assist?

    • Moved by Bill_Stewart Wednesday, September 4, 2019 3:21 PM This is not "scripts on demand"
    Friday, November 23, 2018 2:01 AM

All replies

  • AD does not maintain bad password attempts.  It only maintains a count of bad attempts.

    You have to monitor the event log for this.  There are third party tools wich will do this across a domain and produce comprehensive reports of failed logons.

    You can also find scrips in the Gallery that will help you to learn how to script event log scans.


    \_(ツ)_/

    Friday, November 23, 2018 3:38 PM
  • To help in the search, here is a Gallery script that finds all bad password attempts on all DC's in the domain:

    https://gallery.technet.microsoft.com/Find-All-Accounts-with-Bad-d8dfe958

    For each DC the script outputs the user DN and sAMAccountName, the bad password count, the logon count, and the bad password time. The last three are not replicated, so each DC has different values. The DC that has the PDC Emulator role is identified, since all bad attempts are forwarded to this DC and it has the total count.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, November 23, 2018 4:13 PM
  • Yes - that is a good way to retrieve attempts for known accounts and will likely serve as a first level.  What wee really want is all badd login attempts which tells us how many times hackers are attempting to access the system.

    If Richards script is only what the OP needs than it is the easiest way to get this information.

    I recommend modifying it to generate objects and then we can filter by date and export

    Replace to contents of the loop with this:

                # Retrieve the values.
                    [pscustomobject]@{
                    DistinguishedName = $Result.Properties.Item('distinguishedName')[0]
                    SamAccountName = $Result.Properties.Item('sAMAccountName')[0]
                    BadPwdCount = $Result.Properties.Item('badPwdCount')[0]
                    LogonCount = $Result.Properties.Item('logonCount')[0]
                    BadPasswordTimeUTC = [datetime]::FromFileTimeUtc($Result.Properties.Item('badPasswordTime')[0])
                    BadPasswordTime = ([DateTime]$Time.Item(0)).AddYears(1600).ToLocalTime()
                }
                # Output in comma delimited format.
                #'''$DN'', $NTName, $LogonCount, $BadCount, $BadTime'

    Now we have useful objects.

    .\FIndBadPwdAttempts.ps1 | Where{$_.BadPasswordTime -gt [datetime]::Today.AddDays(-5)} | Export-Csv badattemts.csv


    \_(ツ)_/


    • Edited by jrv Friday, November 23, 2018 7:23 PM
    Friday, November 23, 2018 5:16 PM
  • Excellent suggestion. I will modify the script. Thanks.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, November 23, 2018 6:57 PM
  • I wasn't suggesting modifying the script as it is a pretty old script but that the OP could just edits it for convenience.

    Actually the script can generate a Csv as it is.

    .\FindBadPwdAttempts.ps1 | 
        ConvertFrom-Csv | 
        Where{[datetime]::FromFileTime($_.BadPasswordTime) -gt [datetime]::Today.AddDays(-5)} | 
        Export-Csv badattemts.csv


    \_(ツ)_/


    • Edited by jrv Friday, November 23, 2018 7:26 PM
    Friday, November 23, 2018 7:23 PM