Skip to content

IT-Admins

a website from a systems administrator for systems administrators

    • Home
    • IT-Admins CMDB
      • Features
      • Release Notes
      • Download
      • Installation
      • Online Manual
        • General Functions
        • Settings
        • Common Modules
          • Main Page
          • Workstations
          • Monitors
          • Printers
          • Toner-Inventory
          • Servers
          • Infrastructure Assets
          • Other Assets
          • Purchases
          • Employees
          • Software
          • Projects and Project Tasks
          • Phones/DIDs
          • IP Addresses
          • Responsibility Matrix
          • IT Supplies
        • Less Common Modules
          • Departments
          • Vendors
          • Expenses
          • Checklist Templates
          • LDAP Groups
          • Phones and Phone Models
          • Links
          • Reminders
          • Printer Models and Supplies
          • VLANs
          • Databases
          • WebServer
          • Certificates
          • DNS Entries and Zones
        • Research Modules
          • TAGs
          • Notes
          • Checklists
          • Incidents
          • MAC address search
          • LDAP sync Log
          • WMI Log
          • LDAP compare
          • Service Log
    • IT-Admins tool
      • Features
      • Scenarios
      • Screenshots
      • Release notes
      • FAQ
      • Download
      • Online Manual
        • Overview
        • Generic search functions
        • Configuration
        • Domain Users
        • Domain Groups
        • Domain Computers
        • Domain Contacts
        • NTFS ACLs
        • Long Paths
        • Directory compare
        • Search function
    • IT Search
      • How it works
      • Release Notes
      • Download
      • Installation
      • Online Manual
        • Applying updates
        • Search Providers
        • Configuration
        • Error Log viewer
        • Active Users
        • Monitoring and Statistics
        • Backup and Restore
    • EOL Solutions
      • IT Printer Management (EOL)
        • Installation
        • Download
        • Online Manual
          • Executing the script
          • Using the Sys-Search
          • Managing printers
          • Reviewing the log
          • User to printer (v2)
          • Computer to printer (v2)
      • IT Assets Database (EOL)
        • IT Assets DB Video
        • Features
        • Installation
        • Release Notes
        • Update to the newest version
        • Download
        • Online manual
          • Overview
            • The floating / roaming task execution
          • Using the the sys search
          • Main menu
          • Workstations
          • Monitors
          • Departments
          • Printers
            • Printer models and supplies
            • Toner inventory
          • Incidents
          • Software and licenses
          • LDAP change reporting / synchronization
            • Employees
            • LDAP Groups
          • IP addresses – IPAM
          • DNS management
          • Servers and equipment
            • databases
            • backup reviews
            • Certificate management
            • Webserver Management
          • Vendors and contacts
          • Links and URLs
          • Reminders
          • Purchases
          • Expenses
    • Current Page Parent Blog
    • Contact
    • Links

    Amount of locked out accounts

    It is a good to know how many of your user accounts are locked out right now… I would go as far as saying you should monitor this and have alert levels on it, cause this could indicate and reveal a brute-force like attack against your system.

    Doing it manually in a PowerShell (assuming you have RSAT / Active-Directory PowerShell modules installed) can be done with the following command that will show you who is locked out and the calculated amount as well..

    lockouts - simple PS commands
    PowerShell
    1
    2
    3
    $s=Search-ADAccount -LockedOut |ft
    $s
    'CurrentCount: ' + $s.count

    Using PRTG you can add the following advanced script

    Get-LDAPLockoutCount.ps1
    PowerShell
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    Import-module activedirectory
    $Count=-1
     
    $Accounts = Search-ADAccount -LockedOut
    $Count=$Accounts.Count
     
    $Users = ""
    foreach ($user in $Accounts) {
    if ($Users.Length -gt 0) {
    $Users += " / "
    }
    $Users += $user.SamAccountName
    }
     
    $XML =  "<prtg>"
    $XML += "<result><channel>LDAP accounts locked out</channel><value>$Count</value><unit>Count</unit></result>"
    $XML += "<text>$Users</text>"
    $XML += "</prtg>"
     
    Function WriteXmlToScreen ([xml]$xml)
    {
        $StringWriter = New-Object System.IO.StringWriter;
        $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
        $XmlWriter.Formatting = "indented";
        $xml.WriteTo($XmlWriter);
        $XmlWriter.Flush();
        $StringWriter.Flush();
        Write-Output $StringWriter.ToString();
    }
     
    WriteXmlToScreen $XML

    After adding it as a sensor, it will create a single channel with the amount of locked out users. You should set error limits:

    • minimum error limit: 0
      • the script returns -1 if an error occurred
    • maximum error limit: this depends on your user base – I would say about 5% of your users – no more.. depends as well on the lockout-duration in your security policy…

    The advantage of the script in PRTG is – it always reports back additional text – the currently locked out SamAccount names.. respective user-names.. so in case it generates an error – you will see some more information…

    Assuming there is a brute-force, you might see this sparking and going down – meaning someone tries to find an entry account… since the lockout attribute causes an emergency-replication of your domain-controllers (this attribute bypasses the regular replication interval) you can fire it relatively simply against your domain, the script just uses the current logon domain of the executing user.

     

    Tags: accountactive directoryldaplockoutpowershellprtgsecurity

    October 25, 2019 by Florian Rossmark monitoring prtg security server

    You may also like...

    • Monitor group memberships in Active Directory with PRTG

      Monitor group memberships in Active Directory with PRTG

    • Build your own lab environment with VMware

      Build your own lab environment with VMware

    • Script to remove RemoteApp and Desktop Connections

      Script to remove RemoteApp and Desktop Connections

    • Next PRTG and Cisco ASA VPN monitoring
    • Previous RDS – Fix broken local RDS links in start menu

    Recent blog posts

    • Linux and DHCP reservations aren’t working June 28, 2022
    • Check your webpage for mobile friendly readiness June 15, 2022
    • Tools for WebAnalytics and SEO April 21, 2022
    • Useful registry keys to supplement settings not available in standard GPO templates April 7, 2022
    • Windows 11 and SQL (Express) issues April 1, 2022

    Blog Archives

    Tags

    ssl eventlog windows javascript web active directory rds powershell database cleanup UEFI automate office account profile dfs dhcp filesystem security ldap ip backup vmware website excel server performance password backup exec lockout slack sql network print html Office 365 monitoring veritas certificate script notification SNMP prtg outlook gpo
    en English
    en Englishde Germanes Spanishfr Frenchar Arabiczh-CN Chinese (Simplified)nl Dutchhu Hungarianit Italianja Japaneseko Koreanpl Polishpt Portugueseru Russiantr Turkishuk Ukrainian
    • Terms & Conditions
    • SPICEWORKS
    • LOPSA
    • RSS
    • LinkedIn
    • ITML
    • XING

    IT-Admins © 2022. All Rights Reserved.

    Powered by WordPress. Theme by Alx.