Last active
February 16, 2022 20:28
-
-
Save jschlackman/0a1a0c69c748d09493b2579061d2ac28 to your computer and use it in GitHub Desktop.
Automatically email the appropriate help desk when a user's AD account is locked out.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Name: Email-AccountLockout.ps1 | |
# Author: James Schlackman | |
# Last Modified: June 14 2018 | |
# | |
# Automatically emails the appropriate help desk when a user's AD account is locked out. | |
# Runs on the Domain Controller with the PDC emulator role and triggered by a scheduled task | |
# attached to event ID 4740 in the Security event log. | |
param( | |
[string]$username | |
) | |
Import-Module ActiveDirectory | |
# Set up mail sending parameters | |
$MailRelay = "smtp.contoso.com" | |
$Subject = "AD Account Locked Out: $username" | |
$FromAddress = "$env:COMPUTERNAME <no-reply@contoso.com>" | |
# Determine which Help Desk queue to send this to | |
$UserDesc = (Get-ADuser -LdapFilter "(samaccountname=$username)" -Properties "description").Description | |
If ($UserDesc -match "Campus East") { | |
$ToAddress = "easthelpdesk@contoso.com" | |
} ElseIf (($UserDesc -match "Campus West") -Or ($UserDesc -match "Campus South")) { | |
$ToAddress = "southwesthelpdesk@contoso.com" | |
} Else { | |
$ToAddress = "helpdesk@contoso.com" | |
} | |
# Set up anonymous credentials so Exchange doesn't choke on the server account credentials | |
$anonUsername = "anonymous" | |
$anonPassword = ConvertTo-SecureString -String "anonymous" -AsPlainText -Force | |
$anonCredentials = New-Object System.Management.Automation.PSCredential($anonUsername,$anonPassword) | |
# Create the body of the email | |
$body = @" | |
<html> | |
<head> | |
<style>body {font-family: Calibri, sans-serif; font-size: 11pt} p.footer {font-size: 9pt; font-style: italic; color: gray}</style> | |
</head> | |
<body> | |
<p>The Active Directory account for <strong>$username</strong> has been locked out after too many failed login attempts. | |
The affected user will no longer be able to log in to any system that authenticates directly to AD or LDAP until the account is | |
unlocked by an administrator or until the lockout expires (normally 1 hour after the initial lockout).</p> | |
<p>The event log on $env:COMPUTERNAME will have further information: check the Event Viewer under <b>Windows Logs\Security</b> | |
and filter on Event ID <b>4740</b> for more details.</p> | |
<p class="footer">This is a scripted message sent via the Task Scheduler on $env:COMPUTERNAME. Do not reply to this message.</p> | |
</body></html> | |
"@ | |
# Send email notification | |
Send-MailMessage -SmtpServer $MailRelay -Subject $Subject -From $FromAddress -BodyAsHtml $Body -To $ToAddress -credential $anonCredentials |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-16"?> | |
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> | |
<RegistrationInfo> | |
<Date>2017-04-09T14:37:33.5919775</Date> | |
<Author>james@schlackman.org</Author> | |
</RegistrationInfo> | |
<Triggers> | |
<EventTrigger> | |
<Enabled>true</Enabled> | |
<Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]</Select></Query></QueryList></Subscription> | |
<ValueQueries> | |
<Value name="TargetDomainName">Event/EventData/Data[@Name='TargetDomainName']</Value> | |
<Value name="TargetUserName">Event/EventData/Data[@Name='TargetUserName']</Value> | |
</ValueQueries> | |
</EventTrigger> | |
</Triggers> | |
<Principals> | |
<Principal id="Author"> | |
<UserId>S-1-5-18</UserId> | |
<RunLevel>LeastPrivilege</RunLevel> | |
</Principal> | |
</Principals> | |
<Settings> | |
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> | |
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> | |
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> | |
<AllowHardTerminate>true</AllowHardTerminate> | |
<StartWhenAvailable>false</StartWhenAvailable> | |
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> | |
<IdleSettings> | |
<StopOnIdleEnd>true</StopOnIdleEnd> | |
<RestartOnIdle>false</RestartOnIdle> | |
</IdleSettings> | |
<AllowStartOnDemand>true</AllowStartOnDemand> | |
<Enabled>true</Enabled> | |
<Hidden>false</Hidden> | |
<RunOnlyIfIdle>false</RunOnlyIfIdle> | |
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> | |
<UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine> | |
<WakeToRun>false</WakeToRun> | |
<ExecutionTimeLimit>P3D</ExecutionTimeLimit> | |
<Priority>7</Priority> | |
</Settings> | |
<Actions Context="Author"> | |
<Exec> | |
<Command>powershell</Command> | |
<Arguments>-ExecutionPolicy Bypass -File .\Email-AccountLockout.ps1 -username $(TargetUserName)</Arguments> | |
<WorkingDirectory>\\contoso.com\SYSVOL\contoso.com\scripts</WorkingDirectory> | |
</Exec> | |
</Actions> | |
</Task> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment