Khalids Technical Diary

I encountered the need to monitor account lockouts so that I could more efficiently deal with the response time to users that encounter this. Also we could identify if the user was infact trying to log on or if it was another party trying to utlise the account. I made the following script which I linked to a task to run when an event was triggered in the security log.

 

$2MinutesAgo = [DateTime]::Now.AddMinutes(-2)
$messageParameters = @{
Subject = "User Account Locked"
Body = Get-EventLog "Security" |
Where {$2MinutesAgo -le $_.TimeWritten -and $_.eventid -eq 4740} |
Format-List |
Out-String
From = "user_lockout@mydomain.com"
To = "myemail@mydomain.com"
SmtpServer = "mymailserver"
}
Send-MailMessage @messageParameters