Troubleshoot Account Bad Password Attempts

PowerShell Version 1 script to assist in troubleshooting accounts experiencing bad password attempts. It can also be used to investigate how accounts get locked out in Active Directory.

 
 
 
 
 
5 Star
(1)
1,396 times
Add to favorites
Active Directory
10/18/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • How to check if user enters password history n-2?
    2 Posts | Last post March 17, 2018
    • I come across your blog post: https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx
      
      You haven't mentioned how to check if user enters password history n-2, is there any possibilities to identity this?
    • You want to tell when a user "enters password history n-2". If you mean checking when a user attempts to authenticate with either the n-1 or n-2 password, the only way would be to check if the badPwdCount attribute of the user incremented. It would be best to target the PDC Eumlator for the query. If badPwdCount did not increment, then the password used must have been either n-1 or n-2. The query must be done before lockoutObservationWindow expires after the bad password attempt. The following dsquery command could be used:
      
      dsquery * -Server MyPDC.mydomain.com -Filter "(sAMAccountName=MyUserName)" -Attr sAMAccountName badPwdCount
      
      This would be run right before the authenication attempt, unless you know the count is 0, then right after the attempt to see if the count incremented. A similar PowerShell query would be:
      
      Get-ADUser -Server MyPDC.mydomain.com -Filter {sAMAccountName -eq "MyUserName"} -Properties badPwdCount | Select sAMAccountName, badPwdCount
      
      There is no way to check what is in password history directly.
  • DC
    2 Posts | Last post March 23, 2017
    • I need to specify the list of domain controllers to query. Please help, I'm new to PowerShell.
    • There is no need to specify the domain controllers in this script. The script itself retrieves a list of all DC's in the domain, then queries each for values that are not replicated among DC's. The code demonstrates how to retrieve the list of domain controllers. You can use the code for this in other scripts.