I want to use a sensor to tell me when users in AD are locked out or disabled. Is there some way to do this using PRTG?
Is it possible to monitor Active Directory User Account Status?
Votes:
0
25 Replies
Votes:
1
This article applies to PRTG Network Monitor 13 or later
Search AD-Account Custom Sensor
Using the code below in an EXE/Script Advanced sensor will allow you to query AD and find users that are locked out, disabled and more. The resulting users will be displayed in the last message field in PRTG telling you which accounts are specifically having issues.
Also, this code can be modified with different queries used with the Seach-ADAccount command. You can find the different switches in the article here on Microsoft's Technet.
Import-Module ActiveDirectory $server=Search-ADAccount -AccountDisabled -UsersOnly | select SamAccountName if ($server.count -eq $null -and $server -eq $null){ $a=0 } Elseif ($server.count -eq $null -and $server -ne $null){ $a=1 } Else { $a=@($server.count) } Write-Host "<prtg>" Write-Host "<result>" "<channel>Locked Out Users</channel>" "<value>"+ $a +"</value>" "</result>" "<text>" + (($server | select SamAccountName | ConvertTo-Csv -NoTypeInformation | select -skip 1 ) -join ", ").replace("""","") + "</text>" Write-Host "</prtg>"
NOTE: Please keep in mind that this will require the PRTG machine to have the Active Directory PS Module which can be installed following this guide.
Created on Aug 27, 2013 1:47:35 PM by
Greg Campion [Paessler Support]
Last change on Apr 4, 2019 7:30:43 AM by
Sven Roggenhofer [Paessler Technical Support]
Votes:
0
Is it then possible to show the "Last Message" on a map? I'm able to get the number of locked out users to display but can't seem to get the information in the Last Message to show on my map.
Votes:
0
Hello keisenbarth, thank you for your inquiry.
To display a Sensor's message on a Map, you'll need to utilize the specific map objects which display the message content, for example:
- Status Icons > Sensor Message only (Transparent)
- Status Icons > Sensor Message only (On white)
- Status Icons > Sensor Message only on Status Related Background
There are several other objects which may display the sensor's message again, the objects listed above are an example.
Best Regards,
Created on Jan 11, 2016 6:47:39 AM by
Luciano Lingnau [Paessler]
Last change on Jan 11, 2016 6:47:53 AM by
Luciano Lingnau [Paessler]
Votes:
0
thanks a lot , i can get the number of locked user, but i want to get the name of locked user, is it possible? how?
Votes:
0
Hello there,
The resulting users will be displayed in the last message field in PRTG telling you which accounts are specifically having issues.
Best Regards,
Luciano Lingnau [Paessler Support]
Votes:
0
This maybe a silly question, but where is the "last message" field. I've got the script working, and sensor reports when there's a locked user, but I can't for the life of me find the message field in the sensor (where I assume the name of the locked user would be).
Thanks Carl
Votes:
0
Hi there,
The message is displayed in the green sensor message bar, as displayed in the screenshot (just an example):
Best regards.
Votes:
0
Thanks for that. For some reason I couldn't see the woods for the trees. Perhaps as the sensor was just "ok", so I didn't notice it, and was looking in the channel section below. I could see it on the map ok, but not in the sensor. Don't I feel a little dim now? :-)
Votes:
0
Hi,
It's okay, we all have bright and "not so" bright moments. :)
Votes:
1
I have tried to add an change notification to this sensor, ie. Locked Out users changes from 4 to 5, then I would like to have an email notification. But this change trigge does not seem to work on this sensor?
Votes:
0
Dear Kjetil Skjold,
Please open a new support ticket for that and forward us some screenshots of the sensor. We need the tabs Overview, Log, Notifications and Settings and also a screenshot from the parent-device (tab Settings).
Thank you very much in advance.
Best regards,
Sven
Votes:
0
Hey there. Does the Probe server need to run on the same Server as the locked out sensor is running ? What to change in the PS, if the DC Server is in a group under the Probe Server ? I know there is Locked out user, but the sensor is green and says (OK). Best regards Jan
Votes:
0
Hey Jan,
Thank you for your KB-posting.
- Does the Probe server need to run on the same Server as the locked out sensor is running ? The sensor needs to run on a probe device (Local Probe or Remote Probe) which is member of the very same domain as the target server is.
- What to change in the PS, if the DC Server is in a group under the Probe Server ? There is no need to change anything in the PS script.
To analyze if you have all necessary modules installed, please open a PowerShell Console with administrative rights on the corresponding Probe Device and run the following two commands:
Import-Module ActiveDirectory Search-ADAccount -AccountDisabled -UsersOnly | select SamAccountName
Do you get any error message?
- I know there is Locked out user, but the sensor is green and says (OK). The sensors stays green as it returns a valid value from the script. So, actually, the sensor state shows if the script is working properly.
If you want to change the sensor to error state in case of 1, 2, 3, 4, ... locked users, simply configure Limits to the Locked Out Users channel.
Best regards,
Sven
Votes:
0
For me the Sensor is always Green. I did a few tests and locked out some accounts, but the sensor stays green. It does not detect lockouts. Says 0 all the time. Been running it for a few weeks and has always said 0 even though I know that there has been lockouts... not sure what is going on.
Votes:
0
Hey Manny,
Please forward us a Support Bundle including the system log files for analysis.This can be done via the "Contact Support" ribbon in the lower right corner of the web interface.
Please enter this ticket's case number PAE900955 when submitting the Bundle.
Additionally, please head to the sensor settings and enable the option Sensor Result >> Write sensor result to disk (...). Afterwards, please forward us all (up to three) result files from the sensor. You should find these files under C:\ProgramData\Paessler\PRTG Network Monitor\Logs (Sensors).
Also, please forward us screenshots of one of the affected sensors (tabs: Overview, Log and Settings) and from the parent device (tab: Settings).
Thank you very much in advance.
Kind regards,
Sven
Votes:
0
Hi Sven,
Thanks for that. I have submitted the bundle, but I did not see an option to attach the screenshots and log. I'll reply to your email if I see one.
Thanks
Votes:
0
I am running this sensor on a Windows 2008 R2 Host. The host is where the PRTG Remote Probe is install. I have installed the AD powershell tools through the Server Manager Features. The sensor is returning the following warning/error:
XML: The returned xml does not match the expected schema. (code: PE233) -- JSON: The returned json does not match the expected structure (Invalid JSON.). (code: PE231) |
Any assistance?
Created on Sep 21, 2017 7:23:52 PM
Last change on Apr 30, 2018 10:08:33 AM by
Luciano Lingnau [Paessler]
Votes:
0
Any suggestions how I could filter the monitor users in 1 OU?
Votes:
0
Simply adjust the following line:
$server=Search-ADAccount -AccountDisabled -UsersOnly | select SamAccountName
Use the following webpage for details:
You likely want to add the parameter -SearchBase
Regards
Florian Rossmark
Votes:
0
Hi everyone,
please pay attention, it seems some of you are mixing up disabled vs. locked accounts:
Disabled accounts: Search-ADAccount -AccountDisabled
LockedOut acccounts: Search-ADAccount -LockedOut
Regards, Daniel
Votes:
0
hi,
i got the problem, that every value was null. if someone has the same problem, just install AD Module for PowerShell via ServerManger
Regards, Rene
Votes:
0
When I attempt to add the sensor to the probe device, it returns the value but does not add a "Locked User" channel as well as it remains in alarm with a value of 0. Any thoughts?
Votes:
0
All works fine, but is it possible to format the output for maps? It would be great that every returned value would be in one line - in example
user1 user2 user3 ...
Votes:
0
I have installed the script but it is always green with value 0. How can I give a value other than 0 to know that there is an error?
Votes:
0
Hello Eulises,
Thank you for your message.
Regarding the issue you are facing, can you make sure that you are running the latest version of PRTG and provide me the following information:
- Is the PowerShell module installed in 32bit?
- When you execute the script manually via the PowerShell console (x86), does it work properly?
- Which account do you use to execute the script (parameter Security Context in the sensor Settings tab)
- Is the PowerShell security enhancement feature enabled under Setup > System Administration > Monitoring | Experimental Features ?
I also invite you to replace the Write-Host commands in the script with Write-Output as indicated below:
Write-Output @" <prtg> <result> <channel>Locked Out Users</channel> <value>$a</value> </result> <text>$((($server | select SamAccountName | ConvertTo-Csv -NoTypeInformation | select -skip 1 ) -join ", ").replace("""",""))</text> </prtg> "@
Regards.
Add comment