We’ve used a variety of third party tools to monitor Active Directory domain account changes. They’ve all either been expensive or kind of sucked (or, unfortunately, both). But if you’re running a relatively new OS on your controller you can use the magick of Powershell to ship you alerts on account changes! Powershell can monitor the local Security Event Log on your controller and ship you an email when events matching your description are entered. Here’s an example Powershell script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | $MailTo = "email1@destination.com,email2@otherdestination.com" $Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1 If ($Event) { $MailBody= $Event.Message + "<code>r</code>n`t" + $Event.TimeGenerated $MailSubject= "User Account Locked!" $SmtpClient = New-Object system.net.mail.smtpClient $SmtpClient.host = "your.smtp.server" $MailMessage = New-Object system.net.mail.mailmessage $MailMessage.from = "fromemail@address.com" $MailMessage.To.add($MailTo) $MailMessage.IsBodyHtml = 0 $MailMessage.Subject = $MailSubject $MailMessage.Body = $MailBody $SmtpClient.Send($MailMessage) #write-host "sending" #$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") Exit } Else { Exit } |
624/4720 – User account created
626/4722 – User account enabled
629/4725 – User account disabled
630/4726 – User account deleted
644/4740 – User account locked
That’s it. If you’ve set it up correctly, your recipients should get an email every time the Event ID you’ve defined in the script hits the log. The only weakness here, other than the obvious network related ones tying this process together, is if the account you’re using to run this task goes afoul. However, I can confirm that merely locking the account out won’t prevent the email from being sent. Not in my infrastructure, anyway.