Monday, April 4, 2011

Active Directory Account Lockout Notification

Scenario: You want to be notified by e-mail if one of your Active Directory users locks their account by entering their password incorrectly too many times. This allows you to be proactive in identifying locked accounts and contacting said user to see if there is an issue they need assistance with.

Assumptions: You host your mail server and it will relay mail internally for a domain user. You have a group policy enabled so that an Active Directory account will “lock” after “x” number of incorrect login attempts.

What is needed:

* Blat - a Win32 command line utility that sends eMail using SMTP - http://www.blat.net/
* unlock.exe - Command line Active Directory unlock tool. Will show you currently locked accounts and unlock accounts. One simple command to unlock all locked accounts in a domain. - http://www.joeware.net/freetools/tools/unlock/index.htm

Details:

On one of your Active Directory servers you will want to create a directory structure like this:

c:\utils\script
c:\utils\temp
c:\utils\blat
c:\utils\unlock

Place unlock.exe in the c:\utils\unlock folder.
Place blat.exe, blat.dll, blat.lib in the c:\utils\blat folder.

In the script folder, create a file named lockout_check.bat.
The contents of this batch file should look something like this:

@echo off
:: Run the unlock utility to determine if there are locked accounts
:: Use the -view option to only view locked accounts
:: and do not unlock them
:: Send the output to a temp file
c:\utils\unlock\unlock . * -view > c:\utils\temp\lockstatus.txt

:: Read contents of lockstatus.txt
:: If contents of file contains No objects found. then goto END
:: Otherwise send someone an e-mail that there are locked accounts
type "c:\utils\temp\lockstatus.txt" | find "No objects found." > nul
if errorlevel 1 goto LOCKS
goto END

:LOCKS
:: Edit the to and from addresses and put in your mail server
:: The next next line is one continuous line.
c:\utils\blat\blat.exe c:\utils\temp\lockstatus.txt -to helpdesk@mydomain.com -subject "Locked Active Directory Accounts!" -f helpdesk@mydomain.com -server mail.mydomain.com

:END
exit

You can now (on another computer) log in to an account incorrectly “x” number of times to lock the account.

You can now run this command to verify the account is locked:
c:\utils\unlock\unlock . * -view

Assuming you see a “locked” account you can run the script you created to see if you get an e-mail stating there was a locked account.

Assuming that works correctly, you can schedule a task to run this script as often as you deem necessary. I have it set for every 10 minutes.

2 comments:

  1. Hi,

    If i need this to be executed on specific OU, how can i achieve this? Can you help?

    ReplyDelete
    Replies
    1. I think you are looking for the "-b" option for the unlock.exe program. If you have downloaded the Unlock utility, do a unlock /? at the command prompt to look at teh option. "-b" is what you use to start the search at. I haven't used this option before, but it looks like this is what you are looking for.

      Delete