Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Powershell monitor with multiple lines of output - alert?

robert777

Working on a powershell monitor to check for account lockouts.

Using the get-aduser powershell command to check lockout status.

I want to send an alert when the account shows as locked out.

seems straightforward when you are checking just one user, like:

bob123 Unlocked

but what about checking a series of names? like:

bob123 Unlocked

mary234 Unlocked

steve345 Locked

tyrell567 Unlocked

Possible to run a powershell script in a component monitor that returns a 'list' and send an alert for just the list member that contains the desired data (in this case 'Locked')?

In a nutshell I want to use Orion to run a "standalone" powershell script and hopefully use the alerting functionality to send an email if a designated account is locked out.

BTW I know you can do this by parsing event ID 4740 on domain controllers for account lockout. We're doing that now in SCOM and truthfully it is hit-and-miss in terms of reliability. I would rather just check lockout status directly on the < 100 service accounts in question and send an email if an account gets locked out.

Thanks in advance for any ideas from the community.

Find more posts tagged with

Accepted answers

All comments

chad.every

So short answer is yes, this can be done in SAM. However, you would have to loop through the users and then covert the array of locked out users into a single comma separated string. The SAM PowerShell component monitor would allow for a numeric count of locked out users followed with a single string output message.

robert777

Cool.

Thanks everyone for responses. As of now I've got most of this working:

Created an application with name something like Test Account Lockout
I have about a dozen accounts to check so current plan to create individual Component Monitors for each account rather than looping through all accounts in a single component monitor.
Set up the PowerShell script in each component monitor. Script looks something like "get-aduser -filter 'name -like "account01"' -Properties * | select Name, LockedOut. Note that when you assign the Application to a node you need to execute the app on a server that has the Microsoft RSAT (Remote Server Administration Tools) loaded which puts the PowerShell AD module on the box which makes get-aduser available.
Set up the script to return 3 variables: Message:AccountName, Message.AccountStatus, Statistic.StatusCode (if LockedOut = False set to 0; otherwise set to 1).
Configure the Component Monitor to go Critical if StatusCode > 0
Set up an alert with an email action to watch that Application (with the associated Component Monitors) and send email to the desired support team if the component goes critical

So far I've got that much working for my test account. One last thing I'm trying to figure out...

how to put the Message.AccountName and Message.AccountStatus variables returned from the Component Monitor script into the subject and body of the email message.

I think I saw a Thwack post about how to do that. I'll see if I can locate the article. Any other pointers or comments from the community are appreciated.