Check for Recent Bad Password Attempts on Accounts

This script will help you identify accounts that have had recent bad logon attempts. From there, it’ll allow you to search your security logs to further investigate the account.

We recommend running this script on a domain controller or system that has RSAT tools installed. It’s best to run in an administrative PowerShell session.

Copy and paste this script to your favorite text editor and save as audit_badlogins.ps1 . While the script checks what accounts logged this in the last day, you can adjust it to search for several days by changing the value noted in the comments of the script.

The script will save the results of what it found in a CSV called bad_logins_<date ran>.csv where the script is located.

# -----------------------------------------------------------------
# Audit Bad Logins
# Created by: Christopher Clai - www.syntaxbearror.io
# -----------------------------------------------------------------
# Version 1.0 (August 5th, 2019)
# -----------------------------------------------------------------
#
# Example of running the script:
# .\audit_badlogins.ps1 
#
#
# ##### CHANGELOG ########
# Version 1.0
# 
#
#

Import-Module ActiveDirectory

# Alter the negative number to how many days back you want to go.
$range = ((Get-Date).AddDays(-1)).Date

# -----
# DO NOT EDIT ANYTHING BELOW THIS LINE
# -----

$fnmod = Get-Date -Format "yyyymmdd"
$fname = "bad_logons_" + $fnmod + ".csv"

Get-ADUser -Filter {LastBadPasswordAttempt -ge $range} -Properties LastBadPasswordAttempt | Export-CSV $fname -NoTypeInformation