So, if you want to dig into this information, all you need is to open Event Viewer, head into System under Windows logs, and filter out these specific event IDs.

• Event ID 41 – indicating that the computer rebooted without shutting down completely.
• Event ID 1074 – indicating that a reboot was triggered by an application, including when a user restarted or shut down their computer from the Start Menu or by using Ctrl + Alt + Del.
• Event ID 1076 – records the reason why the computer was shut down or restarted. It’s recorded by the first user with shutdown privilege who logs on to the computer after an unexpected restart.
• Event ID 6006 – indicating whether the computer shuts down correctly.
• Event ID 6008 – indicating whether the computer shuts down abnormally or unexpectedly.

But I am not going to lie, it’s quite the work to dig out this information, especially on a remote computer. This is another place where PowerShell really shines in its own way.

Get-EventLog is the cmdlet that pulls event logs not only from your local computer but remote computers on the same network as well.

To pull the system log from a remote computer called Backup,

Get-EventLog -LogName System -ComputerName Backup

The list might be too long. So let’s only pull the logs after Jan 1, 2022.

Get-EventLog -LogName System -ComputerName Backup -After "2022/01/01"

Now here comes the tricky part, how do I find out these specific events based on the above Event IDs? There are no options to filter out directly so we need to pipe the result through.

Get-EventLog -LogName System -ComputerName Backup -After "2022/01/01" | Where-Object {$_.EventID -in (1074,1076,6006,6008)}

One more thing, let’s format the output a bit to show the full event message without being cut off.

Get-EventLog -LogName System -ComputerName Backup -After "2022/01/01" | Where-Object {$_.EventID -in (1074,1076,6006,6008)} | Format-Table TimeGenerated, EventID, Message -Wrap

The problem is, every type of event ID has different string array structure. So you need to exam each of them separately. To find a certain type of event ID’s structure, open one of the log entry, switch to Details tab and look at the EventData section.

Take an event ID 4740 entry as an example. It lays out as it’s structured, starting from 0, which is TargetUserName, the user account that gets locked out. The next one will be 1 for TargetDomainName, the computer where the account gets locked out.

So you can retrieve the data and display them accordingly, using ReplacementString[0] to get the data for TargetUserName and ReplacementString[1] for TargetDomainName.

Here is a script that retrieves lockout account info from the security event log, for your reference.

#Collect lockout accounts from ADS

$logname = "security"
$dcname = (Get-AdDomain).pdcemulator
$eventID = "4740"
$content = Get-EventLog -LogName $logname -ComputerName $dcname -After (Get-Date).AddDays(-1) -InstanceId $eventID | Select TimeGenerated, ReplacementStrings
$ofs = "`r`n`r`n"
$body = "Fetching event log started on " + (Get-Date) + $ofs

If ($content -eq $null)
{
    $body = $body + "No lock-out accounts happened today" + $ofs
}
Else 
{
    Foreach ($event in $content)
    {
        $source = $content.ReplacementStrings[1]
        $username = $content.ReplacementStrings[0]
        $body = $body + $event.TimeGenerated + ": " + $username + " - " + $source + $ofs
    }
}
$body

Hope it helps.

Asking help from PowerShell is my answer.

There are two places where we can gather this information. The AD contains the bad password attempts and the lockout status while the security event log saves the user account lockout information when it happens.

To get bad password attempts info from AD, use Get-ADUser cmdlet.

Get-ADUser -Filter * -Properties AccountLockoutTime,LastBadPasswordAttemptBadPwdCount,LockedOut

If you want just the info for the past day, pipe the result to Where clause.

Get-ADUser -Filter * -Properties AccountLockoutTime,LastBadPasswordAttemptBadPwdCount,LockedOut | Where {$_.LastBadPasswordAttempt -gt (Get-Date).AddDays(-1)}

To get the account lockout info, use Get-EventLog cmd to find all entries with the event ID 4740. Use -After switch to narrow down the date.

Get-EventLog -LogName "Security" -ComputerName "AD_Server" -After (Get-Date).AddDays(-1) -InstanceID "4740" | Select TimeGenerated, ReplacementString

Depending on the size of the log file, it could take a while to get all the result.

Going through the result, you may find the data shown on the screen is incomplete. That’s because the ReplacementString is a string array that contains the event log data in an XML type of format. Each event type has its own string structure. For 4740 events, 

• ReplacementString[0] stores the name of the computer where the account gets locked out and
• ReplacementString[1] indicates the name of the user account that gets locked out.

So, instead of running the above cmdlet, the following script provides a lot more clear useful info.

#Collect lockout accounts from ADS

$logname = "security"
$dcname = (Get-AdDomain).pdcemulator
$eventID = "4740"
$content = Get-EventLog -LogName $logname -ComputerName $dcname -After (Get-Date).AddDays(-1) -InstanceId $eventID | Select TimeGenerated, ReplacementStrings
$ofs = "`r`n`r`n"
$body = "Fetching event log started on " + (Get-Date) + $ofs

If ($content -eq $null)
{
    $body = $body + "No lock-out accounts happened today" + $ofs
}
Else 
{
    Foreach ($event in $content)
    {
        $source = $content.ReplacementStrings[1]
        $username = $content.ReplacementStrings[0]
        $body = $body + $event.TimeGenerated + ": " + $username + " - " + $source + $ofs
    }
}
$body

Hope it helps.