If your organization has configured an account lockout policy, the following Powershell script and scheduled task will send an email notification to an administrator(s) when an account becomes locked out. This is useful for both proactive notification when a user locks their account as well as for security notification purposes.
System Requirements: Windows Server 2012 and Powershell 2.0
1.Copy below script and paste to a notepad.
2.and Modify the Account Lock Out Email Script. modify the "From", "To", and "SmtpServer" values.
----------------------------------------------------
$AccountLockOutEvent = Get-EventLog -LogName "Security" -InstanceID 4740 -Newest 1
$LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
$AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated
$AccountLockOutEventMessage = $AccountLockOutEvent.Message
$messageParameters = @{
Subject = "Account Locked Out: $LockedAccount"
Body = "Account $LockedAccount was locked out on $AccountLockOutEventTime.`n`nEvent Details:`n`n$AccountLockOutEventMessage"
From = "lockout@domain.com"
To = "notification@domain.com"
SmtpServer = "mail.domain.com"
}
Send-MailMessage @messageParameters
----------------------------------------------------------
3.Save the script to a location accessible from the server.
(Make sure Powershell's execution policy allows the running of scripts, by default it does not, you have to allow it via "Set-ExecutionPolicy RemoteSigned")
4. Create a scheduled task with trigger "When specific event is logged"
In Windows Server 2012 Windows key, Administrative Tools, Task Scheduler, create a New Basic Task. For the trigger, select "When a specific event is logged". Use the following settings:
Log: Security
Source: Microsoft Windows security auditing.
Event ID: 4740
Set the action to run powershell.exe with the script.
Set the Action to start the program powershell.exe with the additional arguments:
-nologo -File "C:\ScriptPath\EmailAccountLockout.ps1"
5. Test
Test your account lock out notification scheduled task, preferably with a test account.
Conclusion
After this is setup, you will receive an email whenever an account gets locked out. Keeping you more informed and secure.
System Requirements: Windows Server 2012 and Powershell 2.0
1.Copy below script and paste to a notepad.
2.and Modify the Account Lock Out Email Script. modify the "From", "To", and "SmtpServer" values.
----------------------------------------------------
$AccountLockOutEvent = Get-EventLog -LogName "Security" -InstanceID 4740 -Newest 1
$LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
$AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated
$AccountLockOutEventMessage = $AccountLockOutEvent.Message
$messageParameters = @{
Subject = "Account Locked Out: $LockedAccount"
Body = "Account $LockedAccount was locked out on $AccountLockOutEventTime.`n`nEvent Details:`n`n$AccountLockOutEventMessage"
From = "lockout@domain.com"
To = "notification@domain.com"
SmtpServer = "mail.domain.com"
}
Send-MailMessage @messageParameters
----------------------------------------------------------
3.Save the script to a location accessible from the server.
(Make sure Powershell's execution policy allows the running of scripts, by default it does not, you have to allow it via "Set-ExecutionPolicy RemoteSigned")
4. Create a scheduled task with trigger "When specific event is logged"
In Windows Server 2012 Windows key, Administrative Tools, Task Scheduler, create a New Basic Task. For the trigger, select "When a specific event is logged". Use the following settings:
Log: Security
Source: Microsoft Windows security auditing.
Event ID: 4740
Set the action to run powershell.exe with the script.
Set the Action to start the program powershell.exe with the additional arguments:
-nologo -File "C:\ScriptPath\EmailAccountLockout.ps1"
5. Test
Test your account lock out notification scheduled task, preferably with a test account.
Conclusion
After this is setup, you will receive an email whenever an account gets locked out. Keeping you more informed and secure.
