Purpose :
The purpose of this project is to monitor Active Directory when a user account is locked out in a mixed DC OS (Windows 2003 and 2008). There are two scripts :

  • the logging script runs on each domain controller every 1 hour a day (for example, the task will start every day at 9:00, repeat every hour for 24 hours). This script collects the last event ids (1 hour ago) ‘4740’ for Windows 2008 or ‘644’ for Windows 2003.
  • the monitoring script runs on one system and parse the log files generated by the domain controller. This script is schedule every hour but start 15 minutes later than the logging scripts (for example, the task will start every day at 9:15, repeat every hour for 24 hours). If a locked out account is found an email is sent

Logging script for Windows 2003 :
$OS=((Get-WmiObject Win32_OperatingSystem).version).split(“.”)[0]
get-eventlog -LogName Security -After (get-date).addhours(-1) -EntryType SuccessAudit | where {($_.eventid -eq “644”)} | Foreach-Object {$os + “;” + ($_.timegenerated).tostring() + “;” + ($_.eventid).tostring() +”;” + ((($_.message -replace “`n”, “;”) -replace “;`t”,””) -replace “`r”,”;”)} | Out-File -FilePath (“\\DOMAIN\NETLOGON\lockout\$env:COMPUTERNAME.txt”) -encoding ASCII -append -Width 1000

Logging script for Windows 2008 :

$OS=((Get-WmiObject Win32_OperatingSystem).version).split(".")[0]
get-eventlog -LogName Security -After (get-date).addhours(-1) -EntryType SuccessAudit | where {($_.eventid -eq "4740")} | Foreach-Object {$os + ";" + ($_.timegenerated).tostring() + ";" + ($_.eventid).tostring() + ";" + ((($_.message -replace "`n", ";") -replace ";`t","") -replace "`r",";")} | Out-File -FilePath ("\\DOMAIN\NETLOGON\lockout\$env:COMPUTERNAME.txt") -encoding ASCII -append -Width 1000

Monitoring script :

Import-Module ActiveDirectory
$date = get-date
$a = @()
foreach ($file in (Get-ChildItem "\\domain\netlogon\lockout\*.txt")){
if (gc $file.FullName) {
$a += gc $file.FullName
$a += "`n"
}
}
$b = @()
if ($a) {
foreach ($line in $a) {
if (($line.split(";")[0] -like "*5*")){
$b += $line.split(";")[1] + ";" + $line.split(";")[12] + ";" + $line.split(";")[6]
}
elseif (($line.split(";")[0] -like "*6*")) {
$b += $line.split(";")[1] + ";" + $line.split(";")[22] + ";" + $line.split(";")[17]
}
}
$username = @()
foreach ($entry in $b) {
$split = $entry.split(";")[2]
$username += $split.split("`t")[($split.split("`t").count -1)]
}
$c = $b |select -Unique|Out-String

$user_list = @()
foreach ($user in $username) {
$user_list += (get-aduser ($user |select -Unique)).distinguishedname
}
$user_list = $user_list | select -Unique

#Send mail
$message_success = "Locked out user account(s) :"+ `
"`n"+ ($user_list |Out-String ) + `
"`n`n`n Detailed informations :"+ `
"`n"+ $c

$emailFrom = "sender@mail.com"
$emailTo = "to@mail.com"
$subject = "Account lockout status  : "+$date
$smtpServer = "smtp_server_hostname"
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $message_success)
}
#Archive old logs
if (Get-ChildItem "\\domain\netlogon\lockout\*.txt") {
Move-Item -Force "\\domain\netlogon\lockout\*.txt" "\\domain\netlogon\lockout\Archive"
}
Monitor locked out user accounts

One thought on “Monitor locked out user accounts

  • June 5, 2014 at 9:39 pm
    Permalink

    Fantastic website you have here but I was curious about if you knew of any forums that
    cover the same topics talked about here? I’d really
    love to be a part of group where I can get comments from other knowledgeable
    people that share the same interest. If you have any suggestions, please let me know.
    Many thanks!

    Reply

Leave a Reply

Your email address will not be published.