Amount of locked out accounts

It is a good to know how many of your user accounts are locked out right now… I would go as far as saying you should monitor this and have alert levels on it, cause this could indicate and reveal a brute-force like attack against your system.

Doing it manually in a PowerShell (assuming you have RSAT / Active-Directory PowerShell modules installed) can be done with the following command that will show you who is locked out and the calculated amount as well..

$s=Search-ADAccount -LockedOut |ft
$s
'CurrentCount: ' + $s.count

$s=Search-ADAccount -LockedOut |ft

'CurrentCount: ' + $s.count

Using PRTG you can add the following advanced script

Import-module activedirectory
$Count=-1

$Accounts = Search-ADAccount -LockedOut
$Count=$Accounts.Count

$Users = ""
foreach ($user in $Accounts) {
	if ($Users.Length -gt 0) {
		$Users += " / "
	}
	$Users += $user.SamAccountName
}

$XML =  "<prtg>"
$XML += "<result><channel>LDAP accounts locked out</channel><value>$Count</value><unit>Count</unit></result>"
$XML += "<text>$Users</text>"
$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)
{
    $StringWriter = New-Object System.IO.StringWriter;
    $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
    $XmlWriter.Formatting = "indented";
    $xml.WriteTo($XmlWriter);
    $XmlWriter.Flush();
    $StringWriter.Flush();
    Write-Output $StringWriter.ToString();
}

WriteXmlToScreen $XML

Import-module activedirectory

$Count=-1

$Accounts = Search-ADAccount -LockedOut

$Count=$Accounts.Count

$Users = ""

foreach ($user in $Accounts) {

if ($Users.Length -gt 0) {

$Users += " / "

}

$Users += $user.SamAccountName

}

$XML = "<prtg>"

$XML += "<result><channel>LDAP accounts locked out</channel><value>$Count</value><unit>Count</unit></result>"

$XML += "<text>$Users</text>"

$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML

After adding it as a sensor, it will create a single channel with the amount of locked out users. You should set error limits:

minimum error limit: 0
- the script returns -1 if an error occurred
maximum error limit: this depends on your user base – I would say about 5% of your users – no more.. depends as well on the lockout-duration in your security policy…

The advantage of the script in PRTG is – it always reports back additional text – the currently locked out SamAccount names.. respective user-names.. so in case it generates an error – you will see some more information…

Assuming there is a brute-force, you might see this sparking and going down – meaning someone tries to find an entry account… since the lockout attribute causes an emergency-replication of your domain-controllers (this attribute bypasses the regular replication interval) you can fire it relatively simply against your domain, the script just uses the current logon domain of the executing user.