Alerting when an AD Account is locked out

Question

It took a team effort to get useful results but here it is. Hope you guys find it useful. Solarwinds Alerting Engine Service needs to run under an ad account with admin privileges in the domain. This allows the service to run powershell scripts in the proper security context to get the information you need. The alert should be configured as such: ***************** Scope of the Alert: only following set of objects all objects where all child conditions must be satisfied (and) node sytem name is equal to your PDC emulator in your domain actual trigger conditions: trigger alert when all child conditions must be satisfied (and) component statistic data (component alerting) is greater than 0 component component type (Component alert) is equal to 42 node status is not equal to down ****************************** Trigger actions configured as such: *********************************** Message Displayed when Alert is triggered: ${N=Alerting;M=AlertName} was triggered. Trigger Actions: First Action: Name of Action:NetPerfMon Event Log : Component ${N=SwisEntity;M=ComponentAlert.ComponentName} on Application ${N=SwisEntity;M=Application.ApplicationAlert.ApplicationName} on Node ${N=SwisEntity;M=Application.Node.Caption} is ${N=SwisEntity;M=ComponentAlert.ComponentAvailability} Message to send to Network Performance Monitor Event Log Component ${N=SwisEntity;M=ComponentAlert.ComponentName} on Application ${N=SwisEntity;M=Application.ApplicationAlert.ApplicationName} on Node ${N=SwisEntity;M=Application.Node.Caption} is ${N=SwisEntity;M=ComponentAlert.ComponentAvailability} ${N=SwisEntity;M=ComponentAlert.WindowsEventMessages} Second Action: Name of Action (execute and External Program):Run powershell script to email message Network path to external program: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy unrestricted -command your script here Optional Windows Authentication: Define User User name: Enter username and password with domain admin rights ****************************** Here is the script we use. You will need to change the $smtpserver, $from and the $to variable to suit your environment. Also , the interval in the script should be the Solarwinds alert polling interval +1 found in this line : if (((get-date) - $i.timecreated).totalminutes -le 5) # ************************************************************ # Script name: LockedOutAlert.ps1 * # Written by: Gary Wong * # Purpose: Check security eventlog for event id 4740 which * # is generated by ad account locked out. If detected, * # an Email will send out the Alert message * # Requirement: MS AD module * # ************************************************************ # let the game begin # function Mail2Me ($message, $userID) { $SmtpServer ="Your smtp server here" $from = "Your From Address Here" $to = ",< and here>, " $smtp = new-object system.net.mail.smtpClient($SmtpServer) $mail = new-object System.Net.Mail.MailMessage $mail.From = $from $mail.To.Add($to) $mail.Subject = "AD User Account $UserID is LockedOut " $mail.Body = $message #$mail.IsBodyHtml = $true; $smtp.Send($mail) } # end of function Mail2me # Main $PDC=(get-addomain).PDCEmulator $Levent=Get-WinEvent -ComputerName $PDC -FilterHashtable @{Logname='Security';Id=4740} -ErrorAction SilentlyContinue if ($Levent) { foreach ($i in $Levent) { if (((get-date) - $i.timecreated).totalminutes -le 5) { $UserInfo=$i.properties[0].value|get-aduser -properties * $Tc=$i.timecreated $UserID=$UserInfo.SamAccountName $UserName=$UserInfo.Name $Phone=$UserInfo.TelephoneNumber $Init=$i.properties[1].value #$MSg=$i.message $message =@" The Lockedout account ID: $UserID The user name : $UserName User Phone number : $Phone Locked out occurred on : $Tc Initiated computer name : $Init Mail2Me $message $UserID } } } # **** That is all Gary Wrote **** This alert will produce an email that looks like this: From: Your From Address Sent: Wednesday, March 30, 2016 2:43 PM To: Your chosen recipients Subject: AD User Account helpme is LockedOut The Lockedout account ID: helpme The user name : User NAME*HelpMe Test Account User Phone number : (xxx) xxx-xxxx Locked out occurred on : 03/30/2016 14:39:18 Initiated computer name : xxxxxxxxxxxxx

naresh8080 · Answer

Hi,

One more way to alert when AD Accounts locked, using windows events.

I configured in my environment successfully.

Step 1: Add AD Windows Event component to SAM, Event matches (4740), the component will show you down and an alert will trigger.

Step 2: Alert settings.

Add below subject to your alert.

An issue on an object you are monitoring occurred at ${N=Alerting;M=AlertTriggerTime;F=DateTime}.

${WindowsEventMessages}

OUT PUT.

An issue on an object you are monitoring occurred at Thursday, November 22, 2018 5:04 PM.

--- Event 1 of 1:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Logged: 11/22/2018 17:00:12

Event ID: 4740

Level: Audit Success

User:

Computer: SERVER01

A user account was locked out.

Subject:

Security ID:                         S-1-5-18

Account Name:                 SERVER01$

Account Domain:                             local

Logon ID:                             0x3e7

Account That Was Locked Out:

Security ID:                         S-1-5-21-225850238-792946567-925700815-134180

Account Name:                 max

Additional Information:

Caller Computer Name:                laptop01

zennifer · Answer

Thanks for sharing

jbiggley · Answer

Indeed, but our script is a little shorter.  We run this as an application component in SAM.  The component is a PowerShell script running in Local Host mode using an account that has enterprise-wide AD rights.  The component is set to go critical when the returned value is greater than or equal to 1.  (Statistic 1 indicates that the reference account is locked out)

Then we build an alert that checks for this component in critical status and off we go.

We apply the said component monitor to at least 2 of our AD controllers as we have 2 different DCs -- always good to have redundancy.

Hope it helps!

****

## Returns either 'True' or 'False' from the LockedOut property given the name of the User Logon Name

$is_locked = get-aduser insert-username-here -Properties * | Select-Object -exp LockedOut

if ($is_locked -eq 'True')

{

Write-Host 'Statistic: 1'

Write-Host 'message: Account Locked Out'

}else{

Write-Host 'Statistic: 0'

Write-Host 'message: Account Not Locked'

}