I've setup and event log monitor to watch for event id 4740 and that works properly. I'm trying to figure out how to get the username of the locked out account in the message of the email alert. ideas?
I am using the template (just uploaded to content sharing) which does this.
Works great!
Hi.
My glimpse at this makes me think that it checks for a single account. Correct? What I need is an alert whenever any AD account gets a lockout.
Thx.
I recommend you look at three templates below. Any of them should meet your requirements.
I know this is kind of old, but I'm trying to figure out how this template works. I've configured the script but I'm not sure how you actually tie it to the AD account? For other monitors you use, they get tied to a server name or IP...I seem to be missing something with this.
In the case of the Windows Server 2008-2012 Domain Controller Security. this template is assigned to the Domain Controller itself and will return the number of locked out users, disabled users, etc. For the specific details of which accounts are locked out and when you will find that information in the "User Account: Account was locked out" Windows Event Log Monitor component details view. "
Thanks but I was talking about the "Checks for a locked AD account" template.
Is there a way to create an alert and email from this template when an account gets locked? I have the template applied and can see the log viewer in solarwinds showing the event 4740 of an account getting locked. Instead of having to use the method of forwarding an event trap and all that, since this already has the info I hope there is a way to email an alert off it.
Thanks
You could configure an alert to notify you when this component goes down (indicates a match has been found) and use the ${WindowsEventMessages} macro in the email message body, which will include the full details of the Windows Event Log in the email alert notification.
Yeah I ended up opening a ticket and that is what we did. First off it seems the Real-time event log viewer, service control manager etc are permission based in the SAM settings. I couldn't figure out why I couldn't see those. I figured since I was an admin that I would see all features. From that I found an article saying you could view the event logs and launch a wizard from that to create alerts.
But the way we did it was just go into Advanced Alerts and create a component alert as you mentioned.
Trigger Condition:
Node Status is not equal to Down
Component Status is equal to Down
Component Name is equal to User Account: Account was locked out
Trigger Actions: Email
In the body of the email we put ${WindowsEventMessages}
I would give aLTeReGo full credit if I hadn't already used tech support.
