AD user locked out alert using SAM

Hi Folks,

I am using SAM module and I wanted to get notified whenever a user account is locked out, with username and workstation info.

I have tried to achieve this by active directory templates, but is is giving loads of event message in single email. I want a one email with per user.

Can someone please help me with this requirement

Regards,

Akash

Parents
  • Have you tried making a single SAM template for just this condition and deploying it? When an Active Directory user account is locked, an account lockout event ID is added to the Windows event logs. Event ID 4740 is added on domain controllers and the event 4625 is added to client computers.

  • I suspect this is what they have done but the problem is the alert/component monitor will show all the events collected in the last X time period. I'm not sure how they would go about it in SAM to get 1 email per user unless only 1 user was being locked out per polling collection interval. 

  • Good point. We only use this for Service Accounts, so it does not happen often enough to worry about multiple lockouts per polling period, however this may a weak point in our setup if multiple lock up. That said, whenever a Service Account locks up an alert is generated people are on it right away so those events are short lived. Perhaps at least collect the data via SAM or one of the Log engines and use a Custom SWQL alert against the DB table if you need to do something outside of what SW does out of the box? 

Reply
  • Good point. We only use this for Service Accounts, so it does not happen often enough to worry about multiple lockouts per polling period, however this may a weak point in our setup if multiple lock up. That said, whenever a Service Account locks up an alert is generated people are on it right away so those events are short lived. Perhaps at least collect the data via SAM or one of the Log engines and use a Custom SWQL alert against the DB table if you need to do something outside of what SW does out of the box? 

Children
No Data