PowerShell : Why can't my user log on?

If you want to know the reason why a users log on attempt failed, the information is there but its burried in a pile of events on your domain controllers. You can use event viewer to filter this but it is terrible and slow.

Now before we begin its worth noting that login failures is not something that is replicated between controllers. So you need to know which DC the user is attempting to authenticate to. Ping the domain from the users machine and whatever it resolves to us usually right

Log onto the DC and run the following :-

$TodaysDate = Date

$failevents = GET-EVENTLOG -Logname Security | where { $_.InstanceID -eq '4625' -and $_.TimeGenerated.day -eq $TodaysDate.Day}

$Filter = foreach ($failevent in $failevents)
    {
    $failevent | Where-Object {$_.message -like '*Joe.Blogs*'}
    }

Write-Host "There have been "$Filter.count" failed log in attemts today" -NoNewline

$filter

echo "Check Failure code"

$Filter[0].Message

This will tell you how many failed attempts they have that day, and give you text which contains an error code. The key for the codes is bellow

  • %%2305 The specified user account has expired. (532)
  • %%2309 The specified account's password has expired. (535)
  • %%2310 Account currently disabled. (531)
  • %%2311 Account logon time restriction violation. (530)
  • %%2312 User not allowed to logon at this computer. (533)
  • %%2313 Unknown user name or bad password. (529)