Powershell Help

Jun 22, 2011 at 7:31 PM

Hi, if any could help with this it would be much appreciated. I would like to polymon to use powershell and monitor the event log and send an alert when a user enters the wrong password/locks themselves out. Has anybody managed to do this, if so how? Any help much appreciated!!


Jun 22, 2011 at 9:02 PM

As far as I know (somebody correct me if I am wrong), I don't know of any 'notifications' or 'events' that occur when Active Directory parts are changed.  In .NET, you have the filesystemwatcher, that allows you to monitor file changes, etc. So, if there are no events that are raised when a user is locked out in Active Directory, then you would have to regularly 'poll' each Active Directory account to see if it is locked or not.  Also (the question you originally asked), I don't think the event log has events associated with it either.  But...

You may want to look into doing an AD Search using powershell every x number of seconds for accounts that are locked out.  If it returns 0, then you would set PolyMon to consider that 'OK', and if it comes back with anything else (1, 2, 3+, etc.) then it would raise the flag that people are locked out.  You could then log onto the server and do that AD Search to find the locked out users.  Thoughts?