Active Directory Account Lockout – Creation – Deletion – Disable monitoring

We’ve used a variety of third party tools to monitor Active Directory domain account changes.  They’ve all either been expensive or kind of sucked (or, unfortunately, both).  But if you’re running a relatively new OS on your controller you can use the magick of Powershell to ship you alerts on account changes!  Powershell can monitor the local Security Event Log on your controller and ship you an email when events matching your description are entered.  Here’s an example Powershell script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$MailTo = "email1@destination.com,email2@otherdestination.com"

$Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1

If ($Event) {
$MailBody= $Event.Message + "<code>r</code>n`t" + $Event.TimeGenerated
$MailSubject= "User Account Locked!"
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = "your.smtp.server"
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = "fromemail@address.com"
$MailMessage.To.add($MailTo)
$MailMessage.IsBodyHtml = 0
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody
$SmtpClient.Send($MailMessage)
#write-host "sending"
#$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
Exit
}
Else
{
Exit
}
  • Line 1 needs to be modified with your mailto addresses.
  • Line 3 should be modified to locate the Event Log ID you’re looking for.  The first number is the 2003 and earlier ID. The second is any OS after 2003:

624/4720 – User account created
626/4722 – User account enabled
629/4725 – User account disabled
630/4726 – User account deleted
644/4740 – User account locked

  • Line 7 is the title of your email, and should be modified to reflect the Event you’re reporting.
  • Line 9 is the SMTP server to send the mail via.
  • Line 11 is the From email address.
  • Lines 17 and 18 are commented out, and used for testing/troubleshooting.  Uncommented (remove the #), they’ll keep the CMD window generated by this script onscreen until you hit a key to close it.
  • Save this script as a .ps1 file on your controller.
  • Open your Security Event Log and filter it by Event ID to find an instance of your desired event.
  • Right click on any example of the proper Event ID and choose Attach Task To This Event…
  • Name the task appropriately.
  • For Actions, choose Start a program.
  • In the Program field, put the word Powershell.
  • In the Add arguments (optional) field put the full path to your script (eg: C:\emailAlerts\create_email.ps1).
  • Check to Open the Properties for this task and click Finish.
  • On the General tab, select to Run whether user is logged on or not, and after hitting OK populate the credentials box with a user possessing the appropriate rights to read your AD log (I use an admin user created specifically for just events and services in our infrastructure).

That’s it.  If you’ve set it up correctly, your recipients should get an email every time the Event ID you’ve defined in the script hits the log.  The only weakness here, other than the obvious network related ones tying this process together, is if the account you’re using to run this task goes afoul.  However, I can confirm that merely locking the account out won’t prevent the email from being sent.  Not in my infrastructure, anyway.

 

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">