At my previous company we had a script that would get triggered on a domain controller if an Active Directory account got locked out because of too many login attempts. It was really helpful in being proactive when someone got locked out.
I decided my current company needed something like that too, and I found a really easy Powershell script that did the trick. You can download that script here (AD Lockout Alert Script) then do the following on your domain controller to send out the alerts:
- Open Powershell on your domain controller and run the following to allow the execution of scripts: Set-ExecutionPolicy RemoteSigned
- Save the Alert Script to c:\lockouts
- Modify the To, From and SMTP server information in the script for your environment and save it.
- Create a new basic task and use "When Specific Event is Logged" as the trigger.
- Use the following settings for the trigger:
Source: Microsoft Windows security auditing
Event ID: 4740
- Select "Start a Program" for the action and use the following settings:
Add arguments: -nologo -File "C:\lockouts\Lockoutalert.ps1"
- When finished setting this up, set this task to be ran as System.
Do you use a similer method for lockout alerts in your company? Do you do it differently? If so, let us know in the comments!