Sending Automatic Email Notifications When An Active Directory Account Locks

05:22:2017

Hello SealingTech readers! If you’re reading this blog you probably have some kind of an interest in how to notify your IT administrators via e-mail if an Active Directory account gets locked out in your environment. If you’re not interested and somehow wound up here, feel free to continue reading, you might just learn something!

In today’s 24/7 availability, Single-Sign-On age, your AD Account could be used on many different systems.  Having the log that provides a lockout notification immediately to the administrator can save them time troubleshooting frequent lockout issues.

There are two main advantages to providing account lockout email notifications to your administrators:

  • Increases information security in your environment by notifying administrators if accounts are locking out frequently (providing time to investigate potential foul play), as well as providing a log informing the administrator what machine the failed login requests are originating from.
  • Provides your administrators with a heads up that users could be calling them shortly and asking for support, while providing preliminary data that would be useful for supporting the issue.

If you’re not interested in learning something OR sending emails for account lockouts in your environment…. just…uhhh…..go back to watching YouTube videos of…uhhh…squirrels…. high fiving… or something? Lets get to business!

Prerequisites

Oh, right! Things typically only work effortlessly if you do some planning and check your prerequisites beforehand!

Please verify you have the following before voicing any complaints or questions in the comments:

  • A Domain Controller (preferably Server 2008 or above) with Windows PowerShell installed on it (should be installed by default)
  • An SMTP server or relay that will accept emails from your Domain Controller
  • A mailbox or distribution list that will notify your IT administrators
  • A script that will send the notification email to the necessary users (provided in the section below)
  • A Service Account that has permissions to do several things:
    • The ability to run as a batch job on the Domain Controller
    • The ability to query the event logs on the Domain Controller
    • The ability to run a scheduled task on the Domain Controller
  • A competent system administrator who can both read and follow directions from a WordPress blog (the ability to look at pictures may suffice, but don’t risk it!)

The Script

First, you’ll need to edit the script for your own use. You can even sneak your own name into the comments if you want, we won’t tell anyone. To edit the file, we recommend you copy and paste this into a text editor like notepad or the incredibly useful Notepad++. You know Notepad++ is awesome because its got two more plus signs than your basic notepad.

You’ll want to edit the following variables to match your environment:

$MailFrom
$MailTo
$SmtpClient.host

#################################################################

##Written by Kevin Roberts @ Sealing Technologies

##

##Sends Email Updates to Administrators when an account locks

#################################################################

#Declare variables to be used for the Email
$MailSubject= “Notice: User Account locked out”
$MailFrom=”DoNotReply@yourcompany.com”
$MailTo=”AdminsDL@yourcompany.com”

#Gets the Event Log that contains the most recent lockout event
$Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1

#Creates a variable which contains the contents of the lockout event log. This is used for the actual message in the email
$MailBody= $Event.Message + “`r`n`t” + $Event.TimeGenerated

#Creates an SMTP Object and assigns an SMTP Address
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = “yourSMTPRelay.yourcompany.com”

#Creates a new Mail Message Object. This is the object needed for the addressing email, subject, body, etc
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = $MailFrom
$MailMessage.To.add($MailTo)
$MailMessage.IsBodyHtml = 0
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody

#Actually Sends the Message
$SmtpClient.Send($MailMessage)

Now that we have all that pesky work taken care of, let directions begin!

How to Send Automatic Email Notifications When an AD Account Locks

What we are doing here is actually very simple. We are setting up an event that triggers whenever an account locks out. The event starts a script that emails an administrative distribution list the actual contents of the event log itself. This provides the administrators with the account that locked and the computer or IP that sent the failed request(useful for troubleshooting or suspected foul play).

  1. RDP into your Domain Controller. If you don’t know how to do this, stop here and re-read the prerequisites a few times. You’re missing at least one of them, but possibly multiple.
  2. Go to Start–>Administrative Tools–>Task Scheduler
  3. In the “Actions” tab on the right, click on the “Create Task” button
  4. In the General tab configure
  5. In the “Triggers” tab click “new” and configure
  6. In the “Actions” tab, click “new”
  7. For the Program/Script section, paste in the following: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  8. For the Add Arguments section, paste in the following, adjusted for the location of your script: -file C:\TaskScripts\LockoutScript.ps1
  9. In the “Conditions” tab, configure -file C:\TaskScripts\LockoutScript.ps1
  10. Exit out of the new tasks screen and Windows should prompt you for the credentials of your service account. Enter the correct credentials. (Duhhh right?).

If you did everything right, you should be done!

There are two ways to test that the script is working, one way is to lock out a test account. The other way is to open the task scheduler, right click on the task and hit “run”. It will run and find the last instance of an account locking out in the event logs(a certain author of this document may have annoyed some coworkers when doing this).

Summary

Hopefully this helped some hopeless system administrator out there who was trying to impress their boss. Or maybe it helped some hopeful system administrator out there was …… trying to… impress their boss. Keep in mind that this type of script can be used to do almost any kind of notification on a Windows server. Remember, the sky is the limit! (Well, unless you have a spaceship, but if you do, you’re in the wrong business)

Source: Knowledge gathered from experience, various articles on Microsoft Technet, and various other blog posts on the subject

Related Articles

Computational Fluid Dynamics within SealingTech Servers

–  By Austin McAlexander SealingTech is proud to provide our customers and mission partners with industry leading carry-on compliant server hardware while maintaining the performance characteristics of traditional data center…

Learn More

The Importance of Compliance in Cybersecurity

More than ever, cybersecurity, as an industry and as a field, has been growing exponentially in terms of the workforce and reach. From commercial and conglomerate entities such as banks,…

Learn More

DCO: Do You Know What Your Network Security Systems are Looking For?

Over the past 3 years, I have been supporting Defensive Cyber Operations (DCO) capabilities for various Department of Defense (DoD) customers, along with an additional 7 years within Network Security…

Learn More

Sign Up for Our Newsletter

Get all the recent SealingTech news and updates right to your inbox!

Expect the best cybersecurity ebooks, case studies and guides - all in one place, once a month. Connect with us today!