Loading
TAG | active directory
May/10
6
SCOM / PowerShell : Number of locked AD accounts
No comments · Posted by admin in PowerShell
Dear All,
Here a new little powershell script that creates an event 6970 in the event viewer when there is more than X accounts locked in less than Y minutes. Now, you just have to create a new rule in SCOM that collect event with the ID6970 and schedule that script to run every 10 minutes.
Thanks to that you can be alert when there is an attack attempt to your Active Directory.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 | ######################################################## #Get the number of lock account in less than 10 minutes ######################################################## ########################### # Param ########################### $LockedSince = 10 #Minutes $NumberofLockedAccount = 50 # ########################### # FUNCTIONS ########################### ########################### # SCRIPT ########################### $objDomain = New-Object System.DirectoryServices.DirectoryEntry $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.SearchRoot = $objDomain $objSearcher.PageSize = 1000 $objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))" $colProplist = "name","samaccountname","lockoutTime" foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null} $colResults = $objSearcher.FindAll() $cpt = 0 $result = $null $result2 = $null foreach ($objResult in $colResults) { $domainname = $objDomain.name $samaccountname = $objResult.Properties.samaccountname $user = [ADSI]"WinNT://$domainname/$samaccountname" $ADS_UF_LOCKOUT = 0x00000010 #$objResult.Properties if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) { $Sam = $objResult.Properties.samaccountname $Name = $objResult.Properties.name [String]$LockTime = $objResult.Properties.lockouttime [datetime] $LockTime = [datetime]::FromFileTime($LockTime) #We want all the account locked in the last 24h $DayDate = Get-Date $DayDateBefore = $DayDate.AddMinutes(-$LockedSince) if(($LockTime -gt $DayDateBefore) -and ($LockTime -lt $DayDate)) { Write-Host "************" Write-Host "User : $sam" Write-Host "Name : $name" Write-Host "LockTime : $lockTime" Write-Host "************" Write-Host "" $result2 += "************`r" $result2 += "User : $sam`r" $result2 += "Name : $name`r" $result2 += "LockTime : $lockTime`r" $result2 += "************`r" $result2 += "`r" $cpt += 1 } } } Write-Host "************" Write-Host "There is $cpt account(s) locked in the last $LockedSince minutes" Write-Host "************" $result += "************`r" $result += "There is $cpt account(s) locked in the last $LockedSince minutes`r" $result += "************`r" $result += $result2 if($cpt -ge $NumberofLockedAccount) { Write-Host "" Write-Host "Limit reached, /!\ ALERT /!\" Write-Host "" $infoevent=[System.Diagnostics.EventLogEntryType]::Error } else{ $infoevent=[System.Diagnostics.EventLogEntryType]::Information } ############################ #Var for the event creation ############################ $evt = new-object System.Diagnostics.EventLog("Application") $evt.Source = "AD-SCOM" $evt.MachineName = "." $evt.WriteEntry($result,$infoevent,6970) |
active directory · ad · PowerShell · script