At my previous company we had a script that would get triggered on a domain controller if an Active Directory account got locked out because of too many login attempts. It was really helpful in being proactive when someone got locked out.



I decided my current company needed something like that too, and I found a really easy Powershell script that did the trick. You can download that script here (AD Lockout Alert Script) then do the following on your domain controller to send out the alerts:





Open Powershell on your domain controller and run the following to allow the execution of scripts: Set-ExecutionPolicy RemoteSigned

Save the Alert Script to c:\lockouts

Modify the To , From and SMTP server information in the script for your environment and save it.

, and in the script for your environment and save it. Create a new basic task and use "When Specific Event is Logged" as the trigger.

as the trigger. Use the following settings for the trigger:



Log: Security

Source: Microsoft Windows security auditing

Event ID: 4740

Select "Start a Program" for the action and use the following settings:



Program/Script: powershell.exe

Add arguments: -nologo -File "C:\lockouts\Lockoutalert.ps1"

When finished setting this up, set this task to be ran as System.

That's it! Now when a user gets locked out, whatever email address you used in the To field in the script will get an alert when any user account in your domain gets locked out. I recommend testing it with a test account.Do you use a similer method for lockout alerts in your company? Do you do it differently? If so, let us know in the comments!