Back to Resources

Level Verified

Windows Failed Admin Login Script

Created by

Level

Type

Script

Category

Security

Platforms
WindowsApple iOSLinux
Import into Level
Copy link

Problem Overview

Repeated failed login attempts on administrator accounts can indicate brute-force attacks, unauthorized access attempts, or misconfigured credentials. Monitoring these failed logins in real-time helps IT professionals and MSPs quickly identify and mitigate potential security threats before they lead to a breach.

Description

This script scans Windows Event Logs for failed login attempts (Event ID 4625) within the last hour and cross-references the failed attempts against a list of administrator accounts. If any failed login attempts are detected for admin users, the script generates an alert, allowing IT teams to investigate and respond proactively. By integrating this script with a script-based monitor in Level, organizations can receive real-time alerts whenever unauthorized admin login attempts occur.

Script

1<#
2This resource is provided as a convenience for Level users. We cannot 
3guarantee it will work in all environments. Please test before deploying 
4to your production environment. We welcome contributions to our community 
5library
6
7# Level Library
8# https://level.io/library/script-windows-failed-admin-login
9#>
10
11$TimeFrame = (Get-Date).AddHours(-1)
12
13# Get failed logon attempts in the last hour
14$FailedLogins = Get-WinEvent -FilterHashtable @{
15    LogName = 'Security'
16    Id = 4625
17    StartTime = $TimeFrame
18} -ErrorAction SilentlyContinue
19
20# Get a list of administrator accounts
21$AdminAccounts = (Get-LocalGroupMember -Group "Administrators").Name -replace '^.*\\'  # Extracts just usernames
22
23if ($FailedLogins.Count -gt 0) {
24    $AlertMessage = "ALERT: Failed admin login attempts detected in the last hour!`n"
25
26    # Extract usernames from the events
27    $FailedAdminLogins = $FailedLogins | ForEach-Object {
28        $Xml = [xml]$_.ToXml()
29        $Account = $Xml.Event.EventData.Data | Where-Object { $_.Name -eq "TargetUserName" } | Select-Object -ExpandProperty "#text"
30
31        if ($Account -and $AdminAccounts -contains $Account) {
32            $Account  # Return only matching admin accounts
33        }
34    }
35
36    if ($FailedAdminLogins) {
37        $FailedAdminLogins | ForEach-Object { $AlertMessage += " - Failed login for admin account: $_`n" }
38        Write-Host $AlertMessage.Trim()
39        exit 1
40    }
41}
42
43Write-Host "No failed admin login attempts detected."
44exit 0

Use Cases

  • Detect brute-force attacks targeting administrator accounts.
  • Monitor for unauthorized access attempts by internal or external threats.
  • Enhance security logging and compliance auditing.
  • Identify misconfigured or outdated credentials causing repeated login failures.

Recommendations

  • Pair with a script-based monitor in Level to generate alerts when failed admin login attempts occur.
  • Test before deploying in a production environment to ensure accurate detection.
  • Regularly review failed login logs to identify patterns of suspicious activity.
  • Consider automated remediation by locking accounts with excessive failed attempts.
  • Ensure proper log retention policies to maintain historical security data for auditing.

FAQ

  • How does this script identify failed admin logins?
    It scans Windows Event Logs for Event ID 4625 (failed logins) and filters the results against a list of administrator accounts retrieved from the local Administrators group.
  • Can I change the time window for detection?
    Yes, modify (Get-Date).AddHours(-1) to adjust the detection period, such as -2 for two hours or -30 for 30 minutes.
  • What happens if failed admin logins are detected?
    The script outputs an alert message and exits with a non-zero status, allowing Level’s monitoring system to trigger an alert.
  • Can this script help with compliance requirements?
    Yes, monitoring failed admin login attempts is critical for security frameworks like NIST, PCI-DSS, and HIPAA, helping organizations track and mitigate unauthorized access attempts.
  • Does this script exclude normal user login failures?
    Yes, it specifically filters failed logins for administrator accounts to reduce noise and focus on high-risk events.
  • Will this script impact system performance?
    No, it queries event logs efficiently and has minimal system impact. However, always test before deploying to production.

Included with this Script:

Below is a list of what you can expect to find when importing this Script.

Script details:

The following data and settings will be imported with your script.

Script Name

Windows - Failed Admin Login

Description

This PowerShell script monitors Windows security logs for failed login attempts targeting administrator accounts within the last hour. It retrieves failed login events (Event ID 4625), cross-references them against the local Administrators group membership, and generates an alert message if any failed attempts are detected for admin accounts, providing a simple but effective security monitoring tool.

Language

PowerShell

Timeout (In Seconds)

300

Run As

Local system

Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources

Start automating thousands of your devices with Level

Start your 14-day free trial today.

Book a demoGet started for free

© 2025 Level Software, Inc.