Version 1

    It took a team effort to get useful results but here it is. Hope you guys find it useful.


    Solarwinds Alerting Engine Service needs to run under an ad account with admin privileges in the domain. This allows the service to run powershell scripts in the proper security context to get the information you need.


    The alert should be configured as such:


    Scope of the Alert:

    only following set of objects

    all objects where all child conditions must be satisfied (and)

         node     sytem name     is equal to     your PDC emulator in your domain


    actual trigger conditions:

    trigger alert when all child conditions must be satisfied (and)

         component     statistic data (component alerting)     is greater than     0

         component     component type (Component alert)     is equal to      42

         node     status     is not equal to     down




    Trigger actions configured as such:


    Message Displayed when Alert is triggered:

    ${N=Alerting;M=AlertName} was triggered.


    Trigger Actions:

      First Action:

           Name of Action:NetPerfMon Event Log : Component  ${N=SwisEntity;M=ComponentAlert.ComponentName} on Application ${N=SwisEntity;M=Application.ApplicationAlert.ApplicationName} on Node ${N=SwisEntity;M=Application.Node.Caption} is ${N=SwisEntity;M=ComponentAlert.ComponentAvailability}

         Message to send to Network Performance Monitor Event Log

    Component  ${N=SwisEntity;M=ComponentAlert.ComponentName} on Application ${N=SwisEntity;M=Application.ApplicationAlert.ApplicationName} on Node ${N=SwisEntity;M=Application.Node.Caption} is ${N=SwisEntity;M=ComponentAlert.ComponentAvailability}



    Second Action:

         Name of Action (execute and External Program):Run powershell script to email message

         Network path to external program: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy unrestricted -command your script here

         Optional Windows Authentication:

              Define User

              User name: Enter username and password with domain admin rights




    Here is the script we use. You will need to change the $smtpserver, $from and the $to variable to suit your environment. Also , the interval in the script should be the Solarwinds alert polling interval +1 found in this line : if (((get-date) - $i.timecreated).totalminutes -le 5)


    # ************************************************************

    # Script name: LockedOutAlert.ps1 *

    # Written by: Gary Wong *

    # Purpose: Check security eventlog for event id 4740 which *

    #       is generated by ad account locked out. If detected,  *

    #       an Email will send out the Alert message             *

    # Requirement: MS AD module                                  *

    # ************************************************************

    # let the game begin


    function Mail2Me ($message, $userID)


               $SmtpServer ="Your smtp server here" 

                  $from = "Your From Address Here"

                  $to = "<Your To address here>,< and here>, <etc>"         

               $smtp = new-object$SmtpServer)

                $mail = new-object System.Net.Mail.MailMessage

                  $mail.From = $from


                  $mail.Subject = "AD User Account $UserID is LockedOut "

                 $mail.Body = $message

                #$mail.IsBodyHtml = $true;


    } # end of function Mail2me

    # Main



    $Levent=Get-WinEvent -ComputerName $PDC -FilterHashtable @{Logname='Security';Id=4740} -ErrorAction SilentlyContinue

    if ($Levent)


    foreach ($i in $Levent)


                  if (((get-date) - $i.timecreated).totalminutes -le 5)


                      $UserInfo=$[0].value|get-aduser -properties *







    $message =@"

    The Lockedout account ID: $UserID


    The user name           : $UserName


    User Phone number       : $Phone


    Locked out occurred on  : $Tc


    Initiated computer name  : $Init



                       Mail2Me $message $UserID




    # **** That is all Gary Wrote ****


    This alert will produce an email that looks like this:


    From: Your From Address
    Sent: Wednesday, March 30, 2016 2:43 PM
    To: Your chosen recipients
    Subject: AD User Account helpme is LockedOut


    The Lockedout account ID: helpme


    The user name : User NAME*HelpMe Test Account


    User Phone number : (xxx) xxx-xxxx


    Locked out occurred on : 03/30/2016 14:39:18


    Initiated computer name : xxxxxxxxxxxxx