Introduction to Command Line Skills Assessment N10

I’ve gone as far as to read all of the messages in the Event log using Get-WinEvent -FilterHashTable @{Logname=‘security’;ID=‘4265’} | select-object -ExpandProperty where I see a large number of login attempts for administrator and user0 but neither of those selections seems correct. Help would be much appreciated, thank you in advance.

After Using Get-WinEvent -FilterHashTable @{LogName='Security'; ID=;4625'} I was able to drill down

to several entries from the 21 and 22 of November.
Setting variables $StartTime and $EndTime I was able to drill down using

Get-WinEvent -FilterHashTable @{LogName='Security'; ID='4625';StartTime=$StartTime;EndTime=$EndTime} | Select-Object -ExpandProperty Message

I’m given three account names that have successive log on (administrator, user0, and user1).

However none of the three are the correct answer. A little help would be much appreciated

So after a little digging and a lot of research on active directory commands in powershell I ended up counting bad password attempts Get-ADUser -Filter * -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut

Hello GuySensel,

So I finally figured it out. You need to log into the Domain Controller after sshing to the machine which means you have ssh to after you ssh to the regular ip address. then start look for suspicious user account name in the -expandproperty message of the failed longons.

the correct answer is (Just a little hint): ju***********admin