Active Directory Email notification on Locked-out Password Reset Events

by Posted on

Automated email notification for Active Directory User Locked Out and Password Reset events using Powershell.

Windows Security Log Event ID 4740  indicates that a user account was locked out after repeated logon failures due to a bad password. This event is logged both for local SAM accounts and domain accounts. Similarly  Windows Security Log Event ID 4724 is fired when the Subject attempted to reset the password of the Target. This event is logged as a failure if the new password reset attempt fails to meet the password policy.

Both events are logged both for local SAM accounts and domain accounts.

SendMailOnLockOut.ps1

This powershell script searches the Windows event log database for the newest record with EventID 4740 and send an email  to the recipients with the event details such as username and caller computer name.

$AccountLockOutEvent = Get-EventLog -LogName "Security" -InstanceID 4740 -Newest 1
$LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
$AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated
$AccountLockOutEventMessage = $AccountLockOutEvent.Message
$messageParameters = @{
Subject = "Account Locked Out: $LockedAccount"
Body = "Account $LockedAccount was locked out on $AccountLockOutEventTime.`n`nEvent Details:`n`n$AccountLockOutEventMessage"
From = "admin@domain.local"
To = "support1@domain.local","support2@domain.local"
SmtpServer = "smtp.mail.local"
}
Send-MailMessage @messageParameters

SendMailOnResetPassword.ps1

This powershell script searches the Windows event log database for the newest record with EventID 4724 and send an email  to the recipients with the event details such as username, time of password change attempt etc.

$AccountPassChangeEvent = Get-EventLog -LogName "Security" -InstanceID 4724 -Newest 1
$ChangeAccount = $($AccountPassChangeEvent.ReplacementStrings[0])
$AccountChangeTime = $AccountPassChangeEvent.TimeGenerated
$AccountChangeEventMessage = $AccountPassChangeEvent.Message
$messageParameters = @{
Subject = "Password changed for : $ChangeAccount"
Body = "Password change attempt for $ChangeAccount at $AccountChangeTime.`n`nEvent Details:`n`n$AccountChangeEventMessage"
From = "admin@domain.local"
To = "support1@domain.local","support2@domain.local"  
SmtpServer = "smtp.mail.local"
}
Send-MailMessage @messageParameters

(Additional SMTP parameters might be required based on the mail server specification)

To automate these two powershell scripts, two tasks are created in the AD domain controller using the Windows tasks scheduler. The tasks will be triggered when an event is fired with the configured event ID and corresponding emails will be sent to the recipients.

Create Task

Set Begin the task as “On an event”, Log as “Security”, Source as”Microsoft Windows security auditing” and Event ID as 4740.

Settings tab

Set the Program/script as “powershell.exe” and additional arguments as -nologo -File “C:\PathToPS\SendMailOnLockOut.ps1”

 

 

In the task scheduler two tasks are created, one is for account locked out event (4740) and another one for password reset attempt (4724).

Once an event is fired logs will be shown in the History tab

 

Published by Sumesh MS