Be notified by email when an Active Directory user account is locked out, this powershell script will grab the most recent lockout event and send you an email notification. Requires a Windows 2008+ domain controller and an email system accepting a relay from the DC.
$Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1 $MailBody= $Event.Message + "
r`t" + $Event.TimeGenerated $MailSubject= "User Account locked out" $SmtpClient = New-Object system.net.mail.smtpClient $SmtpClient.host = "ExchSvr.Domain.Local" $MailMessage = New-Object system.net.mail.mailmessage $MailMessage.from = "AcctLockNotify@domain.local" $MailMessage.To.add("email@example.com") $MailMessage.IsBodyHtml = 0 $MailMessage.Subject = $MailSubject $MailMessage.Body = $MailBody $SmtpClient.Send($MailMessage)
Create a new task in task scheduler to run on an event trigger with event ID 4740. Create a new action to ‘Start a program’ and add this path under program/script:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file C:\Scripts\acc_lockout.ps1 When you click ok, task scheduler is smart enough to break the argument up and add them to the correct field.
Before you set it and forget it, go to the General tab and select ‘Run whether user is logged on or not’ and use an account with the proper rights, like your common dedicated service account.
If you’re getting the error:
“File C:\Scripts\acc_lockout.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see “get-help about_signing” for more details.”, then you will need to turn off the execution policy with:
Set-ExecutionPolicy -0 You should see an email in the following format- A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: DOMAINCONTROLLER$ Account Domain: DOMAINNAME Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-5-21-2388021981-560130107-590547658-1106 Account Name: adminuser1 Additional Information: Caller Computer Name: ServerHost1 11/08/2012 14:12:29