Whenever someone logs on with invalid credentials, there will be a log entry in the security log.
Here is a function that can read these events from the security log (Admin privileges needed). It will then list all the invalid logons found in the log:
# requires Admin privileges! function Get-LogonFailure { param($ComputerName) try { Get-EventLog -LogName security -EntryType FailureAudit -InstanceId 4625 -ErrorAction Stop @PSBoundParameters | ForEach-Object { $domain, $user = $_.ReplacementStrings[5,6] $time = $_.TimeGenerated "Logon Failure: $domain\$user at $wann" } } catch { if ($_.CategoryInfo.Category -eq 'ObjectNotFound') { Write-Host "No logon failures found." -ForegroundColor Green } else { Write-Warning "Error occured: $_" } } }
Note that this function can work remotely, too. Use the -ComputerName parameter to query a remote system. The remote system needs the running RemoteRegistry service, and you need local administrator privileges on the target machine.
