Sending Automatic Email Notifications When An Active Directory Account Locks

Hello SealingTech readers! If you’re reading this blog you probably have some kind of an interest in how to notify your IT administrators via e-mail if an Active Directory account gets locked out in your environment. If you’re not interested and somehow wound up here, feel free to continue reading, you might just learn something!

In today’s 24/7 availability, Single-Sign- On age, your AD Account could be used on many different systems.  Having the log that provides a lockout notification immediately to the administrator can save them time troubleshooting frequent lockout issues. There are two main advantages to providing these notifications to your administrators:

 Increases information security in your environment by notifying administrators if accounts are locking out frequently (providing time to investigate potential foul play), as well as providing a log informing the administrator what machine the failed login requests are originating from.

Provides your administrators with a heads up that users could be calling them shortly and asking for support, while providing preliminary data that would be useful for supporting the issue.

If you’re not interested in learning something OR sending emails for account lockouts in your environment…. just…uhhh…..go back to watching YouTube videos of…uhhh…squirrels…. high fiving… or something? Lets get to business!

Prerequisites

Oh, right! Things typically only work effortlessly if you do some planning and check your prerequisites beforehand!

Please verify you have the following before voicing any complaints or questions in the comments:

  • A Domain Controller(preferably Server 2008 or above) with Windows PowerShell installed on it(should be installed by default)

  • An SMTP server or relay that will accept emails from your Domain Controller

  • A mailbox or distribution list that will notify your IT administrators

  • A script that will send the notification email to the necessary users(provided in the section below)

  • A Service Account that has permissions to do several things:

    • The ability to run as a batch job on the Domain Controller
    • The ability to query the event logs on the Domain Controller
    • The ability to run a scheduled task on the Domain Controller
  • A competent system administrator who can both read and follow directions from a WordPress blog(the ability to look at pictures may suffice, but don’t risk it!)

The Script

First, you’ll need to edit the script for your own use. You can even sneak your own name into the comments if you want, we won’t tell anyone. To edit the file, we recommend you copy and paste this into a text editor like notepad or the incredibly useful Notepad++. You know Notepad++ is awesome because its got two more plus signs than your basic notepad.

You’ll want to edit the following variables to match your environment:

$MailFrom
$MailTo
$SmtpClient.host

[code ]##################################################################

##Written by Kevin Roberts @ Sealing Technologies

##

##Sends Email Updates to Administrators when an account locks

##################################################################

#Declare variables to be used for the Email
$MailSubject= “Notice: User Account locked out”
$MailFrom=”DoNotReply@yourcompany.com”
$MailTo=”AdminsDL@yourcompany.com”

#Gets the Event Log that contains the most recent lockout event
$Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1

#Creates a variable which contains the contents of the lockout event log. This is used for the actual message in the email
$MailBody= $Event.Message + “`r`n`t” + $Event.TimeGenerated

#Creates an SMTP Object and assigns an SMTP Address
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = “yourSMTPRelay.yourcompany.com”

#Creates a new Mail Message Object. This is the object needed for the addressing email, subject, body, etc
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = $MailFrom
$MailMessage.To.add($MailTo)
$MailMessage.IsBodyHtml = 0
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody

#Actually Sends the Message
$SmtpClient.Send($MailMessage) [/code]

Now that we have all that pesky work taken care of, let directions begin!

How To

What we are doing here is actually very simple. We are setting up an event that triggers whenever an account locks out. The event starts a script that emails an administrative distribution list the actual contents of the event log itself. This provides the administrators with the account that locked and the computer or IP that sent the failed request(useful for troubleshooting or suspected foul play).

1

RDP into your Domain Controller. If you don’t know how to do this, stop here and re-read the prerequisites a few times. You’re missing at least one of them, but possibly multiple.

2

Go to Start–>Administrative Tools–>Task Scheduler

3

In the “Actions” tab on the right, click on the “Create Task” button

4

In the General tab configure as seen in this screenshot

5

In the “Triggers” tab click “new” and configure as seen in this screenshot

6

In the “Actions”tab, click “new”

7

For the Program/Script section, paste in the following:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

8

For the Add Arguments section, paste in the following, adjusted for the location of your script.

-file C:\TaskScripts\LockoutScript.ps1

9

In the “Conditions” tab, configure as seen in this screenshot

-file C:\TaskScripts\LockoutScript.ps1

10

Exit out of the new tasks screen and Windows should prompt you for the credentials of your service account. Enter the correct credentials. (Duhhh right?).

If you did everything right, you should be done!

There are two ways to test that the script is working, one way is to lock out a test account. The other way is to open the task scheduler, right click on the task and hit “run”. It will run and find the last instance of an account locking out in the event logs(a certain author of this document may have annoyed some coworkers when doing this).

Summary

Hopefully this helped some hopeless system administrator out there who was trying to impress their boss. Or maybe it helped some hopeful system administrator out there was …… trying to… impress their boss. Keep in mind that this type of script can be used to do almost any kind of notification on a Windows server. Remember, the sky is the limit! (Well, unless you have a spaceship, but if you do, you’re in the wrong business)

Sources

Knowledge gathered from experience, various articles on Microsoft Technet, and various other blog posts on the subject

Posted in