is there a way to configure an alert in NPM to email me when someone locks out their AD account?
You can do this with NPM and SNMP traps.
Configure all domain controllers - which is where the lockout event is logged - with evntwin.exe to send Security event ID 644 as a trap. NOTE: Server 2008+ domain controllers may log a different event ID than Server 2003 - I haven't checked. You will also need to configure the SNMP service itself with the trap destination(s) and community name - it's a tab in the properties of the SNMP service.
You can do remote updates in bulk to all DCs with the evntcmd.exe tool & .cnf files. The .cnf files are created with the evntwin.exe tool, and you can edit the .cnf file manually to add comments etc.
Next, you need to create a new trap rule in Orion. See the attached image for how my rule is set up - note that I have Site_Name as a node custom property, and I exclude "administrator" from the criteria because it very often unavoidably locks in our particular environment.
I don't know why more people don't use Windows' built-in trap sending ability rather than using the frequently-advertised awkward (to me, anyway) SolarWinds Event Log Forwarder method of sending via syslog. Trap email alerts are more configurable.
I think you'll have to use APM/SAM to do this. There is an account lockout template available that should get you started.
This thread has some information and links to the templates:
krfitzgerald--
I think this is something that could be solved with SAM. Please see here.
Hope this helps,DH
Whoops, looks like bobross beat me to it!
Where do I find evntwin.exe? I've never heard of it.
It's installed when the SNMP feature is added to Windows. So, it's located at start->Run.
ok, I have it open, how do I add events to the evntwin.exe console?
Hi,
Don't know if you can reply anymore since this was 2012 but I do have the template and yet I cannot get it to poll only specific OU's and children of the OU's so that the alerts go only to the IT group that are responsible for the users in specific ou's.
Works if every user is in the USERS OU of the same Site OU but I cannot figure out how to write the script to include serveral different OU's - i have tried and cannot get the stringfilter to only look in certain OU's.
Thank you
Because we are not allowed to install on domain controllers without a big change control meeting and if it rquires a reboot, forget it. I will look to see if the utility is already on the server though. Where is it located?
I've found this works best by using a powershell script (which is VERY friendly to your AD environment) rather than going with traps, Eventlog, or other techniques.
