Hi,
we have a few accounts that keep getting locked out.
we have 6 DC's, 2 of which are server 2008 R2 the rest are server 2008.
i have created a scheduled task on the 2 R2 servers to look for event ID 4740 - account locked, and if found, use powershell to send an email with the username, workstation and time of lock out.
this works well if the account was locked out and authenticated against that DC that is r2.
however if the account authenticates against a 2008 server we dont know about it as these dont run powershell
what i am after, is there any way or how would i use the the powershell script to detect to get the lockout event ID's on the other non r2 servers so we can catch the lock outs on the other servers. the powershell script is below that looks for the lock out
$Event=get-eventlog -log security | where {$_.eventID -eq 4740} | Sort-Object index -Descending | select -first 1
$User = $Event.ReplacementStrings[0]
$Computer = $Event.ReplacementStrings[1]
$Domain = $Event.ReplacementStrings[5]
any help would be grateful or if there is a better way to what i am after that would be great.
regards
gavin