{"id":2720,"date":"2024-04-13T03:16:12","date_gmt":"2024-04-13T01:16:12","guid":{"rendered":"https:\/\/itsimple.info\/?p=2720"},"modified":"2024-04-13T03:16:21","modified_gmt":"2024-04-13T01:16:21","slug":"how-to-configure-an-alert-on-active-directory-user-locked-out-and-how-to-find-whats-locking-out-an-ad-account-using-native-auditing","status":"publish","type":"post","link":"https:\/\/itsimple.info\/?p=2720","title":{"rendered":"How to configure an alert on Active Directory User Locked Out and How To Find what’s locking out an AD account using native auditing"},"content":{"rendered":"\n

First you need to set the Number of failed login attempt using GPMC (Group policy management ) , The location of the key is :<\/p>\n\n\n\n

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Then you need to to enable user login auditing using the GPMC<\/p>\n\n\n\n
Perform the following actions on the domain controller (DC):<\/p>\n\n\n\n
    \n
  1. Open the Start<\/strong> menu. Search for and open the Group Policy Management Console<\/strong> (GPMC). You can also run the command gpmc.msc<\/em><\/strong>.<\/li>\n<\/ol>\n\n\n\n
    \"How<\/a><\/figure>\n\n\n\n
      \n
    1. Right-click the domain<\/strong> or organizational unit (OU)<\/strong> where you want to audit account lockouts, and click Create a GPO in this domain, and Link it here<\/strong>.<\/li>\n<\/ol>\n\n\n\n
      Note<\/strong>: If you have already created a GPO, click Link an Existing GPO<\/strong>.<\/p>\n\n\n\n
      \"How<\/a><\/figure>\n\n\n\n
        \n
      1. Name the GPO<\/strong>.<\/li>\n\n\n\n
      2. Right-click the GPO<\/strong> and choose Edit<\/strong>.<\/li>\n<\/ol>\n\n\n\n
        \"How<\/a><\/figure>\n\n\n\n
          \n
        1. In the left pane of the Group Policy Management Editor<\/em>, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management<\/strong>.<\/li>\n<\/ol>\n\n\n\n
          \"How<\/a><\/figure>\n\n\n\n
            \n
          1. In the right pane, you will see the list of policies under Account Management<\/em>. Double-click Audit User Account Management<\/strong> and check the boxes labeled Configure the following audit events, Success<\/strong>, and Failure<\/strong>.<\/li>\n<\/ol>\n\n\n\n
            \"How<\/a><\/figure>\n\n\n\n
              \n
            1. Click Apply<\/strong> and then OK<\/strong>.<\/li>\n\n\n\n
            2. Go back to the Group Policy Management Console<\/strong>. In the left pane, right-click the domain<\/strong> or OU<\/strong> that the GPO was linked to and click Group Policy Update<\/strong>. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.<\/li>\n<\/ol>\n\n\n\n
              \"How<\/a><\/figure>\n\n\n\n
              Steps to view the logged events in the Event Viewer<\/h2>\n\n\n\n
              Once the above steps are complete, events will be logged in the event log. These can be viewed in the Event Viewer by following the steps below:<\/p>\n\n\n\n
                \n
              1. Open the Start<\/strong> menu, search for Event Viewer<\/strong>, and click to open it.<\/li>\n\n\n\n
              2. In the left pane of the Event Viewer window, navigate to Windows Logs > Security<\/strong>. Here, you will find a list of all the security events<\/strong> that are logged in the system.<\/li>\n<\/ol>\n\n\n\n
                \"How<\/a><\/figure>\n\n\n\n
                  \n
                1. In the right pane under Security<\/em>, click Filter Current Log<\/strong>.<\/li>\n<\/ol>\n\n\n\n
                  \"How<\/a><\/figure>\n\n\n\n
                    \n
                  1. In the pop-up window, enter 4740<\/strong> in the field labeled <All Event IDs><\/strong>.<\/li>\n\n\n\n
                  2. Click OK<\/strong>. This will provide a list of occurrences of the Event ID you entered.<\/li>\n\n\n\n
                  3. Double-click the Event ID to view its properties<\/strong> (description).<\/li>\n<\/ol>\n\n\n\n
                    \"How<\/a><\/figure>\n\n\n\n
                    In the event description, the Caller Computer Name is shown.<\/p>\n\n\n\n
                    To perform a more detailed analysis of the cause of this lockout, carry out the following actions on the DC:<\/p>\n\n\n\n
                      \n
                    1. In the Event Viewer<\/em>, filter the current view to look for the Event ID 4625<\/strong>, which is logged when there is a failed logon.<\/li>\n<\/ol>\n\n\n\n
                      \"How<\/a><\/figure>\n\n\n\n
                        \n
                      1. On the right pane of the Event Viewer window, click Find<\/strong>, enter the name of the user that was locked out, and click Find Next<\/strong>.<\/li>\n<\/ol>\n\n\n\n
                        \"How<\/a><\/figure>\n\n\n\n
                          \n
                        1. Look for an event that was logged after the account lockout time and view its properties.<\/li>\n<\/ol>\n\n\n\n
                          \"How<\/a><\/figure>\n\n\n\n
                            \n
                          1. Scroll down to Caller Process Name<\/strong>. This will show you the location of the process that possibly caused the lockout.<\/li>\n<\/ol>\n\n\n\n
                            Now you need a Powershell script to check is there is locked out users and send you email alert :<\/p>\n\n\n\n
                            powershell<\/p>\n\n\n\n
                            # SMTP Server Configuration\n$SmtpServer = \"smtp.your_server_name\"\n$SmtpUsername = \"User Name\"\n$SmtpPassword = \"Password\"\n$From = \"Sender_email\"\n$To = \"recipient_email\"\n$Subject = \"Active Directory Locked Out User Alert !\"\n\n# Get locked out users\n$LockedOutUsers = Search-ADAccount -LockedOut | Select-Object Name, SamAccountName, UserPrincipalName, LockedOut\n\n# If there are locked out users, send an email alert\nif ($LockedOutUsers) {\n    $Body = \"The following users are locked out:`n`n\"\n    foreach ($user in $LockedOutUsers) {\n        $Body += \"Name: $($user.Name)`n\"\n        $Body += \"Username: $($user.SamAccountName)`n\"\n        $Body += \"User Principal Name (UPN): $($user.UserPrincipalName)`n\"\n        $Body += \"Locked Out: $($user.LockedOut)`n`n\"\n    }\n\n    # Send email\n    $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $SmtpUsername, (ConvertTo-SecureString -String $SmtpPassword -AsPlainText -Force)\n    Send-MailMessage -SmtpServer $SmtpServer -From $From -To $To -Subject $Subject -Body $Body -Credential $Credential -UseSsl -Port 587\n}\nelse {\n    Write-Host \"No locked out users found.\"\n}<\/code><\/pre>\n\n\n\n
                            This script use smtp with SSL through port 587, you can delete the “-UseSsl” and change the port to 25 in the script in order to be more soft<\/p>\n\n\n\n
                            And the last this is to set up Task Schedule with alert as a trigger to run this script , from event Viewer, under security, find the event ID 4740 “A user account was locked out”<\/p>\n\n\n\n
                            \"\"<\/figure>\n\n\n\n
                             Flow the wizard to the ens and adjust the task to your need , Here you can find more information to do that :<\/p>\n\n\n\n
                            \n
                            Create a Scheduled Task to Run PowerShell Script<\/a><\/blockquote>