Purpose :
The purpose of this project is to monitor Active Directory when a user account is locked out in a mixed DC OS (Windows 2003 and 2008). There are two scripts :
- the logging script runs on each domain controller every 1 hour a day (for example, the task will start every day at 9:00, repeat every hour for 24 hours). This script collects the last event ids (1 hour ago) ‘4740’ for Windows 2008 or ‘644’ for Windows 2003.
- the monitoring script runs on one system and parse the log files generated by the domain controller. This script is schedule every hour but start 15 minutes later than the logging scripts (for example, the task will start every day at 9:15, repeat every hour for 24 hours). If a locked out account is found an email is sent
Logging script for Windows 2003 :
$OS=((Get-WmiObject Win32_OperatingSystem).version).split(“.”)[0]
get-eventlog -LogName Security -After (get-date).addhours(-1) -EntryType SuccessAudit | where {($_.eventid -eq “644”)} | Foreach-Object {$os + “;” + ($_.timegenerated).tostring() + “;” + ($_.eventid).tostring() +”;” + ((($_.message -replace “`n”, “;”) -replace “;`t”,””) -replace “`r”,”;”)} | Out-File -FilePath (“\\DOMAIN\NETLOGON\lockout\$env:COMPUTERNAME.txt”) -encoding ASCII -append -Width 1000
Logging script for Windows 2008 :
$OS=((Get-WmiObject Win32_OperatingSystem).version).split(".")[0] get-eventlog -LogName Security -After (get-date).addhours(-1) -EntryType SuccessAudit | where {($_.eventid -eq "4740")} | Foreach-Object {$os + ";" + ($_.timegenerated).tostring() + ";" + ($_.eventid).tostring() + ";" + ((($_.message -replace "`n", ";") -replace ";`t","") -replace "`r",";")} | Out-File -FilePath ("\\DOMAIN\NETLOGON\lockout\$env:COMPUTERNAME.txt") -encoding ASCII -append -Width 1000
Monitoring script :
Import-Module ActiveDirectory $date = get-date $a = @() foreach ($file in (Get-ChildItem "\\domain\netlogon\lockout\*.txt")){ if (gc $file.FullName) { $a += gc $file.FullName $a += "`n" } } $b = @() if ($a) { foreach ($line in $a) { if (($line.split(";")[0] -like "*5*")){ $b += $line.split(";")[1] + ";" + $line.split(";")[12] + ";" + $line.split(";")[6] } elseif (($line.split(";")[0] -like "*6*")) { $b += $line.split(";")[1] + ";" + $line.split(";")[22] + ";" + $line.split(";")[17] } } $username = @() foreach ($entry in $b) { $split = $entry.split(";")[2] $username += $split.split("`t")[($split.split("`t").count -1)] } $c = $b |select -Unique|Out-String $user_list = @() foreach ($user in $username) { $user_list += (get-aduser ($user |select -Unique)).distinguishedname } $user_list = $user_list | select -Unique #Send mail $message_success = "Locked out user account(s) :"+ ` "`n"+ ($user_list |Out-String ) + ` "`n`n`n Detailed informations :"+ ` "`n"+ $c $emailFrom = "sender@mail.com" $emailTo = "to@mail.com" $subject = "Account lockout status : "+$date $smtpServer = "smtp_server_hostname" $smtp = new-object Net.Mail.SmtpClient($smtpServer) $smtp.Send($emailFrom, $emailTo, $subject, $message_success) } #Archive old logs if (Get-ChildItem "\\domain\netlogon\lockout\*.txt") { Move-Item -Force "\\domain\netlogon\lockout\*.txt" "\\domain\netlogon\lockout\Archive" }
Monitor locked out user accounts
Fantastic website you have here but I was curious about if you knew of any forums that
cover the same topics talked about here? I’d really
love to be a part of group where I can get comments from other knowledgeable
people that share the same interest. If you have any suggestions, please let me know.
Many thanks!