IT: Active Directory Checking Locked Accounts, Eventviewer Using Powershell (GPO Audit)

What is an OUI?
The first three sets of two hexadecimal numbers in a MAC Address identify the card manufacturer, and this number is called OUI (organizationally unique identifier). It is always the same for NICs manufactured by the same company. Let's say a network card manufactured by Dell has a physical address: 00-14-22-04-25-37. In this address, 00-14-22 is Dell's OUI, which identifies that the device is by Dell. It may be interesting to know that all the OUIs are registered and assigned to the manufacturers by IEEE.

4740(S): A user account was locked out.
Security ID [Type = SID]: SID of account that performed the lockout operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.

Good video Kev, PowerShell is awesome. I 've been learning over the past 5 months and it's very useful.

Here from LinkedIn
Thanks Kev

Thank you for all of your great content, Kev.🤙🏾

Thank you Kev!

installed sysmon and created an index file to feed to splunk,another good project to work on

Filter security log 4740 in eventviewer if there’s lots of log

Great info! I’m curious though what was the specific job role that you were interviewing for when they asked about event viewer?

I'm so glad you did this video. I have a user locking up multiple times a week. can you share the notepad command if possible? Thanks always Kevin!

Sir, please make videos on fsmo roles with pratical videos.

Thank you! could you share the powershell commands please?

Hi kev, just curious. Would you say it's easier to get into a sysadmin role or into cybersecurity nowadays if you have experience in working in help desk? Both look very interesting to me.

Hello Kev, thank you for this video. I couldn’t see the commands on my end. Can you provide a screenshot of the PS commands you used in this video, please? Thanks!

5:50

In the real world, phone jockey's don't have access to GPO! You will have limited access to AD and def not DNS or DHCP! you only have acces to high level when you are a Sr Desktop person. Now if you can remote into that user's pc, then you can check the event viewer etc. Also 95% phone jockeys don't know how to use Powershell and if they did, they would be working for someone else who is paying for that COVETED SKILL SET. If the standard is still the same, as a phone jockey you are responsible for 80% break/fix? which has been in effect since 1993. prob b4 you were born.

dnschecker.org/mac-lookup.php?query=0-11-22-33-44-55 -- what we do at work is that we use this website which I found that was pretty good once the people find out what device is locking you out they can send you the Mac address and then the first three Groups of that Mac address will tell you what the manufacturer is. Then maybe you can go ahead and track down the device once you know what if it's a laptop or desktop or if it's the network interface card is coming from an access point that way you can maybe get a little better understanding on where you're getting locked out from.
Like if you get an access point you're getting locked out it could be your phone that's doing it maybe you put your username and password in for your work to get on the Internet and for some reason you forgot to change it once you change your password. We also seen people at work they use it for tv's to get them Internet access and they forget about it and they go ahead and they change their password after the 90 day. And they get repeated lockouts that's why you gotta ask all the questions to the user or text themselves did they log into a device 30 days ago 60 days ago whatever a TV to your phone to a certain desktop or laptop that's sitting around the office that maybe you just didn't reboot. So these are all the things you got to look out for when you're dealing with account lockouts first you got to find out what the device is if you don't have access to that to help desk should find out from the networking department or the active directory department could look and see what device is locking you out with some other special software that may may have to find this out for you.
And yes even us texts get locked out too case in point the place that I work I get calls every day from text saying unlock their account because they forgot where they logged into and they don't really remember. Have to call up to helped us and get it tracked to see what device is locking them out. Just remember it's not all about the user it's the text too you gotta keep in mind when you log in into something that's why I always like to restart the computer after I'm done with it that way it's nice and clean and I know I've been logged out. Thank you I hope this information helps.

why use powershell for all of that? too much! ad/user comp/username and you wll see if they are locked out. if so unlock issue perm to change pw and move on.