# encoding: utf-8
# api: powershell
# title: Locked accounts alerter
# description: EDIT: changed dcname to get the DC automatically (”$env:computername.$env:userdnsdomain”)
# version: 0.1
# type: script
# author: Ty Lopes
# license: CC0
# x-poshcode-id: 5077
# x-archived: 2016-10-18T06:01:12
# x-published: 2016-04-14T13:16:00
#
# Its about time I added something to this site instead of leaching all of the great scripts.
# #Created By: Ty Lopes
# #Sept 2012
# #Sript to be run by a scheduled task that monitors for a specific event ID (in this case account locked)
# #The sript then reads the last correstponding event ID and emails the details
# #I could only get this alert to work properly by using this method… There may be something easier/better for you out there.
# #This process will have to be followed for each domain controller (since any DC may lock the account and others may not trigger the event id
# #We have two DC’s so this worked well for us
# #The account the task runs under obviously needs rights to read the event logs on the DC
# #Setup the Task
# #Create a scheduled task
# #On the general tab, Run Wether user is logged on or not and Run with highest priveledges
# #On the triggers tab, Select NEW, “On an Event”.
# #Populate
# #log: Security
# #Source: Microsoft-Windows-security-auditing
# #Event ID: 4740
# #Under Actions: New: STart a program:
# #Program: powershell.exe
# #Arguments: -command “& ‘C:\scripts\accountLocked.ps1’ “ (pointing to wherever your script lives)
#
#Created By: Ty Lopes
#Sept 2012
#Sript to be run by a scheduled task that monitors for a specific event ID (in this case account locked)
#The sript then reads the last correstponding event ID and emails the details
#I could only get this alert to work properly by using this method... There may be something easier/better for you out there.
#This process will have to be followed for each domain controller (since any DC may lock the account and others may not trigger the event id
#We have two DC's so this worked well for us
#The account the task runs under obviously needs rights to read the event logs on the DC
#Setup the Task
#Create a scheduled task
#On the general tab, Run Wether user is logged on or not and Run with highest priveledges
#On the triggers tab, Select NEW, "On an Event".
#Populate
#log: Security
#Source: Microsoft-Windows-security-auditing
#Event ID: 4740
#Under Actions: New: STart a program:
#Program: powershell.exe
#Arguments: -command "& 'C:\scripts\accountLocked.ps1' " (pointing to wherever your script lives)
#Script Start
start-sleep 10
$dcName = "$env:computername.$env:userdnsdomain"
$eventID = "4740"
$mailServer = "smtpServer"
$eSubject = "AD account locked"
$emailAddy = "user@domain.com"
$lockEvent = get-eventlog -logname security -computername $dcName -instanceid $eventID -newest 1
$emailBody = $lockEvent.message
Send-MailMessage From lockedAccount@domain.com To $emailAddy Subject $eSubject Body $emailBody SmtpServer $mailServer
#Script end