Twitter
Xbox Live
PicasaThis is a windows service that will quietly listen to the security event log. If it comes across an event indicating that a user was locked out, it will send an email to a given address letting them know what account was locked out. I use this in conjunction with the Active Directory Web Admin application. The email contains a link directly to the web site showing the given user, so I can immediatly unlock them with just a few clicks.
Note: The System.Diagnostics.EventLog class can only monitor local event logs, so this must be run on the server that hosts the specific log you want to watch — most likely your domain controller.
Download the code: EventLogMonitor.zip 16.5 KB, MD5: fca34da0b99045173fa1c8751fcb83b3
Download the installer: EventLogMonitorServiceSetup.msi 370 KB, MD5: 75884789b132c29d61b41e5377ad7c39
Configuration
You’ll need to modify the Web.config file to suit your organization and set the email recipient, SMTP server to use, and other options. In the EventMonitor.settings file are the following settings (those with asterisks must be changed, the rest can be left at their default values for most uses):
- LockoutNotifyEmailAddresses* – The list of email addresses to send the notification to. Multiple addresses should be delimited with commas or semi-colons.
- LockoutNotifySubject - The subject of the email. The first parameter is replaced with the username.
- SmtpHost* – The SMTP server to use for sending email alerts.
- SmtpPort - The SMTP port.
- LockoutNotifyFromAddress - The address that will appear in the from field of the alert emails.
- LockoutNotifyMessage* – The email message body. The first parameter is replaced with the username, and the second with the text of the event message.
- ExcludeAccounts - This is a semi-colon or comma delimited list of accounts that should be excluded from sending notifications. For some reason my Administrator account was generating lockout events. I took the lazy route and added this instead of finding the root cause of the events.