Scheduled task to send an email when a domain user account is locked out

22 May

We don’t have that many users right now and so I decided to setup an email alert to be sent to me when a user account is locked out.

Essentially it’s pretty simple, here’s what I did.

First, head over to your Scheduled tasks on a DC. (This will ultimately need to be performed on all DC’s)

email1Set the task to run whether the user is logged in or not, I also have a dedicated service account for this to run under.

email2The trigger for this is an event that matches the Security ID 4740.email3Select Security and set the ID to 4740email4

When the event is triggered, we need to perform 2 actions.

email5

First, we run a script to write out the relevant information from the event log to a text file. It’s not the most advanced script, it just matches ID 4740 that occurred in the last 10 seconds. The script for this is:

del details.txt
wevtutil.exe /remote:exchangeservername qe Security /q:*"[System[(EventID=4740) and TimeCreated[timediff(@SystemTime)<=10000]]]" /f:text >> details.txt

email6

Next we send out at an email and select the attachment of the text file that will be written out (you can create an empty details.txt file for the moment)

email7That’s all there is to it. Enjoy.