• Photos Photos
  • Linked In Linked In
  • Google + Google +
  • Facebook Facebook
  • Flickr Flickr
  • Vimeo Vimeo

www.gavinwill.me.uk

Photography, IT, Bikes and more.

  • Pages

    • About
    • Blog
    • Contact
    • Home
  • Archives

    • January 2013
    • September 2012
    • August 2012
    • July 2012
    • June 2012
    • May 2012
    • April 2012
    • March 2012
    • February 2012
    • January 2012
    • December 2011
    • November 2011
  • Search:

Posts

  • View Archive

Automatic Notification for Active Directory Account Lockouts

The Task Scheduler in Windows 2008 is vastly improved from previous versions of Windows Server. One feature that I really like is that you can trigger tasks from events showing up in the logs. Since account lockouts are listed as Event-ID 4740 we can create a task that emails the IT department or helpdesk as soon as that ID enters the security log. The IT department therefore are aware there is an issue and can pre-empt the user asking for help. It can also assist in being notified when there is a brute force attack being made.

First we need a Powershell script that can email the information from the Security log about the lockout to the IT department.

$Event=Get-EventLog -LogName Security -InstanceID 4740 -Newest 1
$MailBody= $Event.message
 
$MailSubject= "User Account locked out"
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = "smtp.domain.com"
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = "AccountLockout@domain.com"
$MailMessage.To.add("alerts@domains.com")
$MailMessage.IsBodyHtml = 1
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody
$SmtpClient.Send($MailMessage)

$Event=Get-EventLog -LogName Security -InstanceID 4740 -Newest 1 $MailBody= $Event.message $MailSubject= "User Account locked out" $SmtpClient = New-Object system.net.mail.smtpClient $SmtpClient.host = "smtp.domain.com" $MailMessage = New-Object system.net.mail.mailmessage $MailMessage.from = "AccountLockout@domain.com" $MailMessage.To.add("alerts@domains.com") $MailMessage.IsBodyHtml = 1 $MailMessage.Subject = $MailSubject $MailMessage.Body = $MailBody $SmtpClient.Send($MailMessage)

Save this powershell script in a script directory that is accessible from your server and then simply create a task within the Task Scheduler. The Trigger is On an event

Using the Secuirty log and Event ID 4740. The Action is then to run the powershell script to find the information in the log and to email it to the IT department. For starting powershell scripts you need to tell the task scheduler to Start a Program and to start Powershell with the argument being the location for where the script is saved.

Now simply create a test user in Active Directory and try and login to a computer with incorrect password. When the amount of failed logins are reached depending on your account lockout policy you will then shortly see the email alert come in to notify that an account has been locked out.

  • August 11, 2012
  • Active Directory, IT & Computing
  • 0
Cancel Reply

Copyright © 2019 www.gavinwill.me.uk.

  • LinkedIn
  • Google +
  • Facebook
  • Flickr
  • Vimeo
Back to Top