Automatic Notification for Active Directory Account Lockouts

The Task Scheduler in Windows 2008 is vastly improved from previous versions of Windows Server. One feature that I really like is that you can trigger tasks from events showing up in the logs. Since account lockouts are listed as Event-ID 4740 we can create a task that emails the IT department or helpdesk as soon as that ID enters the security log. The IT department therefore are aware there is an issue and can pre-empt the user asking for help. It can also assist in being notified when there is a brute force attack being made.

First we need a Powershell script that can email the information from the Security log about the lockout to the IT department.

$Event=Get-EventLog -LogName Security -InstanceID 4740 -Newest 1
$MailBody= $Event.message
 
$MailSubject= "User Account locked out"
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = "smtp.domain.com"
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = "AccountLockout@domain.com"
$MailMessage.To.add("alerts@domains.com")
$MailMessage.IsBodyHtml = 1
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody
$SmtpClient.Send($MailMessage)

Save this powershell script in a script directory that is accessible from your server and then simply create a task within the Task Scheduler. The Trigger is On an event

Using the Secuirty log and Event ID 4740. The Action is then to run the powershell script to find the information in the log and to email it to the IT department. For starting powershell scripts you need to tell the task scheduler to Start a Program and to start Powershell with the argument being the location for where the script is saved.

Now simply create a test user in Active Directory and try and login to a computer with incorrect password. When the amount of failed logins are reached depending on your account lockout policy you will then shortly see the email alert come in to notify that an account has been locked out.