Receiving Notification When A User Account In Active Directory Is Disabled And The User Account Belongs To A specific Security Group
I need to create an automated process that does the following.
Scenario is based on user being terminated or leave the organization.
1) User account get's disabled in AD as part of the employee termination process
2) User account is part of a specific security group for example SAP-Users
3) We need an e-mail notification that a users account was disabled that belongs to the group "SAP-Users"
Note: This process should only apply if the user account belongs "SAP-Users"
Scenario is based on user being terminated or leave the organization.
1) User account get's disabled in AD as part of the employee termination process
2) User account is part of a specific security group for example SAP-Users
3) We need an e-mail notification that a users account was disabled that belongs to the group "SAP-Users"
Note: This process should only apply if the user account belongs "SAP-Users"
$group = "SAP-Users"
$now= get-date
$date= $now.AddDays(-1)
$event = get-WinEvent -FilterHashtable @{LogName="Security"; ID=4725;StartTime = $date}
[XML] $eventXML = $event.toXML()
$disabledUser = $eventXML.event.eventdata.data[0] |Select-object -expandproperty '#Text'
$disabledDN = get-aduser -identity $disabledUser
$disabledMembers = Get-ADGroupMember -Identity $group| Where-Object { $_.distinguishedname -eq $disabledDN}
if ($disabledMembers.count -ge 1){
foreach($disabledMember in $disabledMembers){
$name = $disabledMember.name
$SamAccountName = $disabledMember.SamAccountName
$mybody = "$name was removed from $group at $now"
$MailMessage = @{
To = "me@mycompany.com"
From = "me@mycompany.com"
Subject = "User(s) removed from $mygroup "
Body = "$mybody"
Smtpserver = "smtprelay.mycompany.com"
ErrorAction = "SilentlyContinue"
Send-MailMessage @MailMessage
}
}you have to run the script when event 4725 is in the event viewer use this as an example
https://blogs.technet.microsoft.com/jhoward/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger/
Very neat solution David. For sake of completeness, it will need to be applied on all Domain DCs, correct?
yes it must be run on scheduled to run on all dc's
ASKER
Thank you guys for the suggestion! This one seem to have done the trick. I was trying to avoid creating a task to make this script run on each of my 20 domain controllers but I am happy to have a solution to the main problem.
$AccountDisabledEvent = Get-EventLog -LogName "Security" -InstanceID 4725 -Newest 1
$DisabledAccount = $($AccountDisabledEvent.ReplacementStrings[0])
$AccountDisabledEventTime = $AccountDisabledEvent.TimeGenerated
$AccountDisabledEventMessage = $AccountDisabledEvent.Message
$filterGroup = "SAP_users"
$messageParameters = @{
Subject = "Account Disabled: $DisabledAccount"
Body = "Account $DisabledAccount was locked out on $AccountDisabledEventTime.`n`nEvent Details:`n`n$AccountDisabledEventMessage"
From = "lock-up@yourdomain.com"
To = "youremail@yourdomain.com", "someoneelse@yourdomain.com"
SmtpServer = "yoursmtpserver.yourdomain.com"
}
if ((Get-ADUser -Identity $DisabledAccount -Properties memberof).memberof -match $filterGroup)
{
Send-MailMessage @messageParameters
}This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
email body will consist of select Userprincipalname, samaccountname, Enabled of disabled users
other attributes can be included by changing
-Properties enabled and select
(i.e. properties * | select yourproperties)
Open in new window