What is the timeframe for 'at least one failed logon attempt' in this script. Is it over the entire current event log? Thanks very much. -Andy
The badPwdCount attribute is reset to 0 on the domain controller when the user authenticates with the correct password.
Since the badPwdCount attribute is not replicated, you really should query all domain controllers in the domain. The search base can include the host name of a DC.