Mike Swanson
5cbd49ce24
Move 150+ scripts from root and scripts/ into client/project directories: - clients/dataforth/scripts/ (110 files: AD2, sync, SSH, DB, DOS scripts) - clients/bg-builders/scripts/ (14 files: Lesley mgmt, Exchange, termination) - clients/internal-infrastructure/scripts/ (10 files: GDAP, Gitea, backups) - projects/msp-tools/scripts/ (9 files: CIPP, MSP onboarding, Datto) - projects/gururmm-agent/scripts/ (3 files: API test, JWT, record counts) - clients/glaztech/scripts/ (1 file: CentraStage removal) Also reorganized: - VPN scripts → infrastructure/vpn-configs/ - Retrieved API/JS files → api/ - Forum posts → projects/community-forum/forum-posts/ - SSH docs → clients/internal-infrastructure/docs/ - NWTOC/CTONW docs → projects/wrightstown-smarthome/docs/ - ACG website files → projects/internal/acg-website-2025/ - Dataforth docs → clients/dataforth/docs/ - schema-retrieved.sql → docs/database/ Deleted 24 tmp_*.ps1 one-off debug scripts (preserved in git history). Root reduced from 220+ files to 62 items (docs + directories only). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
63 lines
3.2 KiB
PowerShell
63 lines
3.2 KiB
PowerShell
$secPassword = ConvertTo-SecureString 'Paper123!@#' -AsPlainText -Force
|
|
$cred = New-Object System.Management.Automation.PSCredential('INTRANET\sysadmin', $secPassword)
|
|
|
|
# Query lockout events from AD1 via AD2 (same subnet hop)
|
|
Invoke-Command -ComputerName 192.168.0.6 -Credential $cred -Authentication Negotiate -ScriptBlock {
|
|
# Query AD1's event log from AD2 (both on same subnet)
|
|
Write-Output "=== Lockout Events (4740) from AD1 ==="
|
|
try {
|
|
$lockouts = Get-WinEvent -ComputerName AD1 -FilterHashtable @{LogName='Security'; Id=4740; StartTime=(Get-Date).AddDays(-7)} -ErrorAction Stop |
|
|
Where-Object { $_.Properties[0].Value -eq 'jlohr' } |
|
|
Select-Object -First 30
|
|
foreach ($e in $lockouts) {
|
|
Write-Output "$($e.TimeCreated) | Caller: $($e.Properties[1].Value)"
|
|
}
|
|
if (-not $lockouts) { Write-Output " None found" }
|
|
} catch { Write-Output " ERROR: $_" }
|
|
|
|
Write-Output "`n=== Kerberos Failures (4771) from AD1 ==="
|
|
try {
|
|
$k = Get-WinEvent -ComputerName AD1 -FilterHashtable @{LogName='Security'; Id=4771; StartTime=(Get-Date).AddDays(-3)} -ErrorAction Stop |
|
|
Where-Object { $_.Properties[0].Value -eq 'jlohr' } |
|
|
Select-Object -First 30
|
|
foreach ($e in $k) {
|
|
Write-Output "$($e.TimeCreated) | IP: $($e.Properties[6].Value) | Status: $($e.Properties[4].Value)"
|
|
}
|
|
if (-not $k) { Write-Output " None found" }
|
|
} catch { Write-Output " ERROR: $_" }
|
|
|
|
Write-Output "`n=== NTLM Failures (4776) from AD1 ==="
|
|
try {
|
|
$n = Get-WinEvent -ComputerName AD1 -FilterHashtable @{LogName='Security'; Id=4776; StartTime=(Get-Date).AddDays(-3)} -ErrorAction Stop |
|
|
Where-Object { $_.Properties[1].Value -eq 'jlohr' -and $_.Properties[2].Value -ne 0 } |
|
|
Select-Object -First 30
|
|
foreach ($e in $n) {
|
|
Write-Output "$($e.TimeCreated) | Workstation: $($e.Properties[0].Value) | Error: $($e.Properties[2].Value)"
|
|
}
|
|
if (-not $n) { Write-Output " None found" }
|
|
} catch { Write-Output " ERROR: $_" }
|
|
|
|
Write-Output "`n=== Logon Failures (4625) from AD1 ==="
|
|
try {
|
|
$f = Get-WinEvent -ComputerName AD1 -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-3)} -ErrorAction Stop |
|
|
Where-Object { $_.Properties[5].Value -eq 'jlohr' } |
|
|
Select-Object -First 30
|
|
foreach ($e in $f) {
|
|
Write-Output "$($e.TimeCreated) | Source: $($e.Properties[13].Value) ($($e.Properties[19].Value)) | Type: $($e.Properties[10].Value) | Reason: $($e.Properties[8].Value)"
|
|
}
|
|
if (-not $f) { Write-Output " None found" }
|
|
} catch { Write-Output " ERROR: $_" }
|
|
|
|
# Also check AD2's own logs
|
|
Write-Output "`n=== Lockout Events (4740) from AD2 ==="
|
|
try {
|
|
$l2 = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740; StartTime=(Get-Date).AddDays(-7)} -ErrorAction Stop |
|
|
Where-Object { $_.Properties[0].Value -eq 'jlohr' } |
|
|
Select-Object -First 30
|
|
foreach ($e in $l2) {
|
|
Write-Output "$($e.TimeCreated) | Caller: $($e.Properties[1].Value)"
|
|
}
|
|
if (-not $l2) { Write-Output " None found" }
|
|
} catch { Write-Output " ERROR: $_" }
|
|
} -ErrorAction Stop
|