Emails when a user gets locked out

Posted on 2009-05-15
Medium Priority
Last Modified: 2012-06-27
Simply put, I'd like to receive an email anytime one of my users gets locked out on our SBS 2003 system. I normally only see this when I sift through event viewer. Is there a program or option somewhere that I can accomplish this.
Question by:Jerrod_W
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 57

Expert Comment

by:Mike Kline
ID: 24398318
This can be done using third party monitoring tools but seeing you are in SBS I'm guessing there may not be huge money in the budget for new software
You may want to check out event triggers
Those links should get you going.  I haven't tested this fully but it is worth trying out I think.
LVL 85

Expert Comment

ID: 24398331
You can use eventriggers.exe and blat to do this:


happy mailing : Blat online

@echo off
set From=lockout@domain.com
set To=me@domain.com
set SMTP=smtp.domain.com
set Subject=User locked out
set EmailFile=%Temp%\%~n0.eml
>"%EmailFile%" echo A user was locked out at %Date% %Time% on %ComputerName%
"C:\Program Files\blat\blat.exe" "%EmailFile%\%LogFile%" -f %From% -to %To% -server %SMTP% -subject "%Subject%"

Open in new window

LVL 85

Expert Comment

ID: 24398371
Slight correction: remove the "\%LogFile%" in the last line ...
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI


Expert Comment

ID: 24398474
We use NetWrix Account Lockout Examiner.  


It works well for us because it has the option to unlock accounts either via a website (for helpdesk personnel) or email remote control (good for blackberries).
LVL 85

Expert Comment

ID: 24398482
And it was bugging me that the user who was locked out was not reported.
You should be able to combine this with PsLogList to retrieve the event.
PsLogList v2.7

The new script assumes that the script and the external tools are in the same folder (untested):
@echo off
set From=lockout@domain.com
set To=me@domain.com
set SMTP=smtp.domain.com
set Subject=User locked out
set EmailFile=%Temp%\%~n0.eml
:: *** set the event id of the lockout event eventtriggers is monitoring:
set EventID=
>"%EmailFile%" echo A user was locked out at %Date% %Time% on %ComputerName%; event log entry as follows:
"%~dp0psloglist.exe" -m 1 -i %EventID% security >>"%EmailFile%" 2>&1
"%~dp0blat.exe" "%EmailFile%" -f %From% -to %To% -server %SMTP% -subject "%Subject%"

Open in new window

LVL 18

Expert Comment

ID: 24398730
I have used Eventtrigers along with Blat. It works fine for a free tool.
You may also take a look at this free tool as well http://www.poweradmin.com/ServerMonitor/features.aspx?show=actions
LVL 27

Accepted Solution

bluntTony earned 2000 total points
ID: 24402314
You could just use SBS's built in monitoring facility. Go to:

Server Management | Monitoring and Reporting | Change Alert Notifications | Event log errors | 'Account Lockout' (Event ID: 539) - tick this option.

Add your email address into the text field in the 'Email Address' tab.

(If you haven't already set up monitoring and reports, click on the 'Set up Monitoring Reporting and Alerts' link and follow the wizard)

You'll then get emails whenever an account gets locked out.


Author Closing Comment

ID: 31582034
This seems to be working great. Thanks.

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question