Alerting when an AD Account is locked out

Version 1

    It took a team effort to get useful results but here it is. Hope you guys find it useful.

     

    Solarwinds Alerting Engine Service needs to run under an ad account with admin privileges in the domain. This allows the service to run powershell scripts in the proper security context to get the information you need.

     

    The alert should be configured as such:

    *****************

    Scope of the Alert:

    only following set of objects

    all objects where all child conditions must be satisfied (and)

         node     sytem name     is equal to     your PDC emulator in your domain

     

    actual trigger conditions:

    trigger alert when all child conditions must be satisfied (and)

         component     statistic data (component alerting)     is greater than     0

         component     component type (Component alert)     is equal to      42

         node     status     is not equal to     down

     

    ******************************

     

    Trigger actions configured as such:

    ***********************************

    Message Displayed when Alert is triggered:

    ${N=Alerting;M=AlertName} was triggered.

     

    Trigger Actions:

      First Action:

           Name of Action:NetPerfMon Event Log : Component  ${N=SwisEntity;M=ComponentAlert.ComponentName} on Application ${N=SwisEntity;M=Application.ApplicationAlert.ApplicationName} on Node ${N=SwisEntity;M=Application.Node.Caption} is ${N=SwisEntity;M=ComponentAlert.ComponentAvailability}

         Message to send to Network Performance Monitor Event Log

    Component  ${N=SwisEntity;M=ComponentAlert.ComponentName} on Application ${N=SwisEntity;M=Application.ApplicationAlert.ApplicationName} on Node ${N=SwisEntity;M=Application.Node.Caption} is ${N=SwisEntity;M=ComponentAlert.ComponentAvailability}

    ${N=SwisEntity;M=ComponentAlert.WindowsEventMessages}

     

    Second Action:

         Name of Action (execute and External Program):Run powershell script to email message

         Network path to external program: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy unrestricted -command your script here

         Optional Windows Authentication:

              Define User

              User name: Enter username and password with domain admin rights

    ******************************

     

     

    Here is the script we use. You will need to change the $smtpserver, $from and the $to variable to suit your environment. Also , the interval in the script should be the Solarwinds alert polling interval +1 found in this line : if (((get-date) - $i.timecreated).totalminutes -le 5)

     

    # ************************************************************

    # Script name: LockedOutAlert.ps1 *

    # Written by: Gary Wong *

    # Purpose: Check security eventlog for event id 4740 which *

    #       is generated by ad account locked out. If detected,  *

    #       an Email will send out the Alert message             *

    # Requirement: MS AD module                                  *

    # ************************************************************

    # let the game begin

    #

    function Mail2Me ($message, $userID)

    {

               $SmtpServer ="Your smtp server here" 

                  $from = "Your From Address Here"

                  $to = "<Your To address here>,< and here>, <etc>"         

               $smtp = new-object system.net.mail.smtpClient($SmtpServer)

                $mail = new-object System.Net.Mail.MailMessage

                  $mail.From = $from

                    $mail.To.Add($to)

                  $mail.Subject = "AD User Account $UserID is LockedOut "

                 $mail.Body = $message

                #$mail.IsBodyHtml = $true;

               $smtp.Send($mail)

    } # end of function Mail2me

    # Main

    $PDC=(get-addomain).PDCEmulator

     

    $Levent=Get-WinEvent -ComputerName $PDC -FilterHashtable @{Logname='Security';Id=4740} -ErrorAction SilentlyContinue

    if ($Levent)

    {

    foreach ($i in $Levent)

                {

                  if (((get-date) - $i.timecreated).totalminutes -le 5)

                     {

                      $UserInfo=$i.properties[0].value|get-aduser -properties *

                      $Tc=$i.timecreated

                      $UserID=$UserInfo.SamAccountName

                      $UserName=$UserInfo.Name

                      $Phone=$UserInfo.TelephoneNumber

                      $Init=$i.properties[1].value

                       #$MSg=$i.message

    $message =@"

    The Lockedout account ID: $UserID

     

    The user name           : $UserName

     

    User Phone number       : $Phone

     

    Locked out occurred on  : $Tc

     

    Initiated computer name  : $Init

    "@                      

                                 

                       Mail2Me $message $UserID

                     }

                 }

         }

    # **** That is all Gary Wrote ****

     

    This alert will produce an email that looks like this:

     

    From: Your From Address
    Sent: Wednesday, March 30, 2016 2:43 PM
    To: Your chosen recipients
    Subject: AD User Account helpme is LockedOut

     

    The Lockedout account ID: helpme

     

    The user name : User NAME*HelpMe Test Account

     

    User Phone number : (xxx) xxx-xxxx

     

    Locked out occurred on : 03/30/2016 14:39:18

     

    Initiated computer name : xxxxxxxxxxxxx