$secPassword = ConvertTo-SecureString 'Paper123!@#' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('INTRANET\sysadmin', $secPassword) # Query lockout events from AD1 via AD2 (same subnet hop) Invoke-Command -ComputerName 192.168.0.6 -Credential $cred -Authentication Negotiate -ScriptBlock { # Query AD1's event log from AD2 (both on same subnet) Write-Output "=== Lockout Events (4740) from AD1 ===" try { $lockouts = Get-WinEvent -ComputerName AD1 -FilterHashtable @{LogName='Security'; Id=4740; StartTime=(Get-Date).AddDays(-7)} -ErrorAction Stop | Where-Object { $_.Properties[0].Value -eq 'jlohr' } | Select-Object -First 30 foreach ($e in $lockouts) { Write-Output "$($e.TimeCreated) | Caller: $($e.Properties[1].Value)" } if (-not $lockouts) { Write-Output " None found" } } catch { Write-Output " ERROR: $_" } Write-Output "`n=== Kerberos Failures (4771) from AD1 ===" try { $k = Get-WinEvent -ComputerName AD1 -FilterHashtable @{LogName='Security'; Id=4771; StartTime=(Get-Date).AddDays(-3)} -ErrorAction Stop | Where-Object { $_.Properties[0].Value -eq 'jlohr' } | Select-Object -First 30 foreach ($e in $k) { Write-Output "$($e.TimeCreated) | IP: $($e.Properties[6].Value) | Status: $($e.Properties[4].Value)" } if (-not $k) { Write-Output " None found" } } catch { Write-Output " ERROR: $_" } Write-Output "`n=== NTLM Failures (4776) from AD1 ===" try { $n = Get-WinEvent -ComputerName AD1 -FilterHashtable @{LogName='Security'; Id=4776; StartTime=(Get-Date).AddDays(-3)} -ErrorAction Stop | Where-Object { $_.Properties[1].Value -eq 'jlohr' -and $_.Properties[2].Value -ne 0 } | Select-Object -First 30 foreach ($e in $n) { Write-Output "$($e.TimeCreated) | Workstation: $($e.Properties[0].Value) | Error: $($e.Properties[2].Value)" } if (-not $n) { Write-Output " None found" } } catch { Write-Output " ERROR: $_" } Write-Output "`n=== Logon Failures (4625) from AD1 ===" try { $f = Get-WinEvent -ComputerName AD1 -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-3)} -ErrorAction Stop | Where-Object { $_.Properties[5].Value -eq 'jlohr' } | Select-Object -First 30 foreach ($e in $f) { Write-Output "$($e.TimeCreated) | Source: $($e.Properties[13].Value) ($($e.Properties[19].Value)) | Type: $($e.Properties[10].Value) | Reason: $($e.Properties[8].Value)" } if (-not $f) { Write-Output " None found" } } catch { Write-Output " ERROR: $_" } # Also check AD2's own logs Write-Output "`n=== Lockout Events (4740) from AD2 ===" try { $l2 = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740; StartTime=(Get-Date).AddDays(-7)} -ErrorAction Stop | Where-Object { $_.Properties[0].Value -eq 'jlohr' } | Select-Object -First 30 foreach ($e in $l2) { Write-Output "$($e.TimeCreated) | Caller: $($e.Properties[1].Value)" } if (-not $l2) { Write-Output " None found" } } catch { Write-Output " ERROR: $_" } } -ErrorAction Stop