Reporting on AD Lockouts via PowerShell

So I’m behind on posts, but this one was just too fun to pass up!

I was recently out and about, doing some SCSM training at a customer site up in the frosty North of Canada! In between consulting, I got the chance to wander around town, eat some delicious food, and make some amazing friends, but perhaps the coolest part of the trip was something that you’ll hear PowerShell guru’s talk about again and again, I became a ‘toolmaker’ for my customer.

I overheard a conversation about a report they get that covers AD ‘lockout’ events. When a user mistypes their password a certain number of times (in their case, 3) it logs an event and locks the account for a period of time before reinstating access. They had a separate program that monitored these events and then dumped a report to PDF. Some person on their team then went through the PDF report (not sort-able as after all, it is a PDF) and then had to find unique values (not easy because it’s not sort-able) and then once those were found, get e-mail addresses and send out an email to users saying something like, “Hey, we saw your account get locked out. Was this you? If not, please let us know so we can do something about it.”

As I was listening, all I could think of was that it would be a pretty simple PowerShell script to hit the DC’s, look for those events, add them to an array, parse them, and then do whatever was necessary with the resulting information. As it turns out, 3 hours of tinker-time later, I had a beautiful, tested, script under 200 lines of code, that worked wonders.

That script gets the lockouts, adds them to an array, parses them, and then outputs the information to CSV if desired, as well as e-mails the users using HTML set templates with variable replacement. I thought the templates were a nice touch instead of using some powershell-generated HTML 🙂

I’m linking to BitBucket because the code has been changing too rapidly to post, but it’s pretty self explanatory. I tried to comment the code so as to give the customer a chance to download it themselves and play with it. I’m trying to create more toolmakers!

I could see this being useful in a lot of environments, so I have shared it with the world. Those of you who are looking at this saying, “Why not use SCOM?”, well, you could use SCOM, but in this case the SCOM environment was run by a different team and politics being what they are, as well as the SCOM project being in its infancy, that wasn’t an option. This is a non-SCOM option to do some monitoring and have some fun!

Hopefully people find this useful and can contribute back! Let me know if anyone has improvements or modifications to make it better – I’m going to try to start to actually use some of the collaborative features of BitBucket 🙂



PS. Yes, I know I left some variables in my script. I’ll clean them up later 🙂 – My e-mail address isn’t that hard to find anyway :p