jschlackman/Email-AccountLockout.ps1

## Email-AccountLockout.ps1
# Name: Email-AccountLockout.ps1
# Author: James Schlackman
# Last Modified: June 14 2018
#
# Automatically emails the appropriate help desk when a user's AD account is locked out.
# Runs on the Domain Controller with the PDC emulator role and triggered by a scheduled task
# attached to event ID 4740 in the Security event log.

param(
[string]$username
)

Import-Module ActiveDirectory

# Set up mail sending parameters
$MailRelay = "smtp.contoso.com"
$Subject = "AD Account Locked Out: $username"
$FromAddress = "$env:COMPUTERNAME <no-reply@contoso.com>"

# Determine which Help Desk queue to send this to
$UserDesc = (Get-ADuser -LdapFilter "(samaccountname=$username)" -Properties "description").Description
If ($UserDesc -match "Campus East") {
    $ToAddress = "easthelpdesk@contoso.com"
} ElseIf (($UserDesc -match "Campus West") -Or ($UserDesc -match "Campus South")) {
    $ToAddress = "southwesthelpdesk@contoso.com"
} Else {
    $ToAddress = "helpdesk@contoso.com"
}


# Set up anonymous credentials so Exchange doesn't choke on the server account credentials
$anonUsername = "anonymous"
$anonPassword = ConvertTo-SecureString -String "anonymous" -AsPlainText -Force
$anonCredentials = New-Object System.Management.Automation.PSCredential($anonUsername,$anonPassword)

# Create the body of the email

$body = @"
<html>
<head>
    <style>body {font-family: Calibri, sans-serif; font-size: 11pt} p.footer {font-size: 9pt; font-style: italic; color: gray}</style>
</head>
<body>
<p>The Active Directory account for <strong>$username</strong> has been locked out after too many failed login attempts.
The affected user will no longer be able to log in to any system that authenticates directly to AD or LDAP until the account is
unlocked by an administrator or until the lockout expires (normally 1 hour after the initial lockout).</p>

<p>The event log on $env:COMPUTERNAME will have further information: check the Event Viewer under <b>Windows Logs\Security</b>
and filter on Event ID <b>4740</b> for more details.</p>

<p class="footer">This is a scripted message sent via the Task Scheduler on $env:COMPUTERNAME. Do not reply to this message.</p>
</body></html>
"@

# Send email notification
Send-MailMessage -SmtpServer $MailRelay -Subject $Subject -From $FromAddress -BodyAsHtml $Body -To $ToAddress -credential $anonCredentials

## Email-AccountLockout.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2017-04-09T14:37:33.5919775</Date>
    <Author>james@schlackman.org</Author>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
      <ValueQueries>
        <Value name="TargetDomainName">Event/EventData/Data[@Name='TargetDomainName']</Value>
        <Value name="TargetUserName">Event/EventData/Data[@Name='TargetUserName']</Value>
      </ValueQueries>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>powershell</Command>
      <Arguments>-ExecutionPolicy Bypass -File .\Email-AccountLockout.ps1 -username $(TargetUserName)</Arguments>
      <WorkingDirectory>\\contoso.com\SYSVOL\contoso.com\scripts</WorkingDirectory>
    </Exec>
  </Actions>
</Task>
	# Name: Email-AccountLockout.ps1
	# Author: James Schlackman
	# Last Modified: June 14 2018
	#
	# Automatically emails the appropriate help desk when a user's AD account is locked out.
	# Runs on the Domain Controller with the PDC emulator role and triggered by a scheduled task
	# attached to event ID 4740 in the Security event log.

	param(
	[string]$username
	)

	Import-Module ActiveDirectory

	# Set up mail sending parameters
	$MailRelay = "smtp.contoso.com"
	$Subject = "AD Account Locked Out: $username"
	$FromAddress = "$env:COMPUTERNAME <no-reply@contoso.com>"

	# Determine which Help Desk queue to send this to
	$UserDesc = (Get-ADuser -LdapFilter "(samaccountname=$username)" -Properties "description").Description
	If ($UserDesc -match "Campus East") {
	$ToAddress = "easthelpdesk@contoso.com"
	} ElseIf (($UserDesc -match "Campus West") -Or ($UserDesc -match "Campus South")) {
	$ToAddress = "southwesthelpdesk@contoso.com"
	} Else {
	$ToAddress = "helpdesk@contoso.com"
	}


	# Set up anonymous credentials so Exchange doesn't choke on the server account credentials
	$anonUsername = "anonymous"
	$anonPassword = ConvertTo-SecureString -String "anonymous" -AsPlainText -Force
	$anonCredentials = New-Object System.Management.Automation.PSCredential($anonUsername,$anonPassword)

	# Create the body of the email

	$body = @"
	<html>
	<head>
	<style>body {font-family: Calibri, sans-serif; font-size: 11pt} p.footer {font-size: 9pt; font-style: italic; color: gray}</style>
	</head>
	<body>
	<p>The Active Directory account for <strong>$username</strong> has been locked out after too many failed login attempts.
	The affected user will no longer be able to log in to any system that authenticates directly to AD or LDAP until the account is
	unlocked by an administrator or until the lockout expires (normally 1 hour after the initial lockout).</p>

	<p>The event log on $env:COMPUTERNAME will have further information: check the Event Viewer under <b>Windows Logs\Security</b>
	and filter on Event ID <b>4740</b> for more details.</p>

	<p class="footer">This is a scripted message sent via the Task Scheduler on $env:COMPUTERNAME. Do not reply to this message.</p>
	</body></html>
	"@

	# Send email notification
	Send-MailMessage -SmtpServer $MailRelay -Subject $Subject -From $FromAddress -BodyAsHtml $Body -To $ToAddress -credential $anonCredentials
	<?xml version="1.0" encoding="UTF-16"?>
	<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
	<RegistrationInfo>
	<Date>2017-04-09T14:37:33.5919775</Date>
	<Author>james@schlackman.org</Author>
	</RegistrationInfo>
	<Triggers>
	<EventTrigger>
	<Enabled>true</Enabled>
	<Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]</Select></Query></QueryList></Subscription>
	<ValueQueries>
	<Value name="TargetDomainName">Event/EventData/Data[@Name='TargetDomainName']</Value>
	<Value name="TargetUserName">Event/EventData/Data[@Name='TargetUserName']</Value>
	</ValueQueries>
	</EventTrigger>
	</Triggers>
	<Principals>
	<Principal id="Author">
	<UserId>S-1-5-18</UserId>
	<RunLevel>LeastPrivilege</RunLevel>
	</Principal>
	</Principals>
	<Settings>
	<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
	<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
	<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
	<AllowHardTerminate>true</AllowHardTerminate>
	<StartWhenAvailable>false</StartWhenAvailable>
	<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
	<IdleSettings>
	<StopOnIdleEnd>true</StopOnIdleEnd>
	<RestartOnIdle>false</RestartOnIdle>
	</IdleSettings>
	<AllowStartOnDemand>true</AllowStartOnDemand>
	<Enabled>true</Enabled>
	<Hidden>false</Hidden>
	<RunOnlyIfIdle>false</RunOnlyIfIdle>
	<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
	<UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
	<WakeToRun>false</WakeToRun>
	<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
	<Priority>7</Priority>
	</Settings>
	<Actions Context="Author">
	<Exec>
	<Command>powershell</Command>
	<Arguments>-ExecutionPolicy Bypass -File .\Email-AccountLockout.ps1 -username $(TargetUserName)</Arguments>
	<WorkingDirectory>\\contoso.com\SYSVOL\contoso.com\scripts</WorkingDirectory>
	</Exec>
	</Actions>
	</Task>