We don’t have that many users right now and so I decided to setup an email alert to be sent to me when a user account is locked out.
Essentially it’s pretty simple, here’s what I did.
First, head over to your Scheduled tasks on a DC. (This will ultimately need to be performed on all DC’s)
When the event is triggered, we need to perform 2 actions.
First, we run a script to write out the relevant information from the event log to a text file. It’s not the most advanced script, it just matches ID 4740 that occurred in the last 10 seconds. The script for this is:
del details.txt wevtutil.exe /remote:exchangeservername qe Security /q:*"[System[(EventID=4740) and TimeCreated[timediff(@
SystemTime)<=10000]]]" /f:text >> details.txt
Next we send out at an email and select the attachment of the text file that will be written out (you can create an empty details.txt file for the moment)