Powershell Custom Sensor for monitoring AD User lockouts

Hello Bdmm,

Thank you very much for your valuable input, I'm pretty sure that there are users out there who will benefit from your script.

Best regards and thanks again.
Sebastian

Is it possible to monitor user account lockout status where the sensor is running on a different domain ?

Tested, works smooth as I have one user locked out and I can see the details in de settings. The counters says 0, so it needs a minor tweak to show 1 ? If users locked out >1, does this sensor show the number of locks, but without the details ??

Is it possible to monitor user account lockout status where the sensor is running on a different domain ?

possible yes, but does anybody have a solution to get the Data without the use of a Domain Admin ? Wen don't wan't to use any Domain Admins - instead we use local admins (when necessary and possible)

This should actually work with a regular user account - any domain user can gather information like this.

What you might need is the RSAT tools installed on the probe-device, besides that I do not see a reason why you shouldn't be able to execute this as a regular user.

Actually, you would be quite surprised seeing what a regular user account can read from your Active Directory. Please have a look at my free IT-Admins Tool at https://www.it-admins.com - you might be quite astonished.

Having this said - I would re-write the script and do it differently and a bit more extended.

The following script will read through your current Active Directory and filter for user accounts with the following specific conditions:

• Lockedout users - please read below
  • all users that are lockedout
  • must be an enabled user
  • that is not expired
• disabled users
  • all users that have been disabled
• expired users
  • must be an enabled user
  • the expiration date is set and past the current date
• users with password never expires set
  • must be an enabled user

This will give you a pure counter output per channel in an for PRTG Extended script sensor XML result.

But there is a theoretical flaw in one of the methods - the locked out users. Now, user accounts get locked out in Active Directory due to too many logon attempts with an invalid password. This causes Active Directory to set the lockedout bit in the object properties. The issue here is that this bit will not be set back to 0 after the defined lockout duration (GPO) is past, the property will only be set back to 0 once the lockout duration is passed and he successfully logged on.

This means, the counter might give you more results then currently true, it might count users that have been locked out but the lockout-duration passed - but they did not yet logon successfully. This is somehow a false positive, while not totally false. In any case, you need to be aware of this.

The script could be more efficient as well in the way it filters a few things, so far I optimized it as far as I could - the LockedOut value can not be set as a -Filter, in theory it might be possible to speed it up with a -Filter to the UserAccountControl - but I am not certain this would work. If you really want to speed it up you would need to work with -LDAPFilter - but this actually needs to completely replace the internal filter capabilities of Get-ADUser - you can't use both - it is one or the other.

Import-Module ActiveDirectory

#you could add - filters, a OU limitation or a server against whom this would be executed.. see Get-ADUser options for more details

#all locked users that aren't disabled or expired
$LockedOutUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {$_.lockedout -eq $True -and (($_.AccountExpirationDate -gt (Get-Date) -or ($_.AccountExpirationDate -eq $null)))} 

#all users that are disabled - this is a manual action in Active Directory
$DisabledUsers=Get-ADUser -Filter {Enabled -eq $False -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate

#all users that are not disabled but expired already
$ExpiredUsers=Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {(($_.AccountExpirationDate -gt (Get-Date) -or ($_.AccountExpirationDate -ne $null)))} 

#users with not expiring passwords and are enabled and not expired
$NotExpiringPWD=Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate 

If ($LockedOutUsers.count -eq $null -and $LockedOutUsers -eq $null){
    $cntLockedOutUsers=0
}Elseif ($LockedOutUsers.count -eq $null -and $LockedOutUsers -ne $null){
    $cntLockedOutUsers=1
}Else{
    $cntLockedOutUsers=@($LockedOutUsers.count)
}

If ($DisabledUsers.count -eq $null -and $DisabledUsers -eq $null){
    $cntDisabledUsers=0
}Elseif ($DisabledUsers.count -eq $null -and $DisabledUsers -ne $null){
    $cntDisabledUsers=1
}Else{
    $cntDisabledUsers=@($DisabledUsers.count)
}

If ($ExpiredUsers.count -eq $null -and $ExpiredUsers -eq $null){
    $cntExpiredUsers=0
}Elseif ($ExpiredUsers.count -eq $null -and $ExpiredUsers -ne $null){
    $cntExpiredUsers=1
}Else{
    $cntExpiredUsers=@($ExpiredUsers.count)
}

If ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -eq $null){
    $cntNotExpiringPWD=0
}Elseif ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -ne $null){
    $cntNotExpiringPWD=1
}Else{
    $cntNotExpiringPWD=@($NotExpiringPWD.count)
}

$XML += "<prtg>"
$XML += "<result>" 
$XML += "<channel>Locked Out Users</channel>" 
$XML += "<value>$cntLockedOutUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Disabled Users</channel>" 
$XML += "<value>$cntDisabledUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Expired Users - not disabled</channel>" 
$XML += "<value>$cntExpiredUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Users with password never expires</channel>" 
$XML += "<value>$cntNotExpiringPWD</value>" 
$XML += "</result>"
$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)
{
    $StringWriter = New-Object System.IO.StringWriter;
    $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
    $XmlWriter.Formatting = "indented";
    $xml.WriteTo($XmlWriter);
    $XmlWriter.Flush();
    $StringWriter.Flush();
    Write-Output $StringWriter.ToString();
}

WriteXmlToScreen $XML

The above script was as well posted on my blog here.

Regards

Florian Rossmark

www.it-admins.com

For correct value display when only 1 account is locked you can replace this :

if ($server.count -eq $null -and $server -eq $null){
    $a=0
}
Elseif ($server.count -eq $null -and $server -ne $null){
    $a=1
}
Else
{
    $a=@($server.count)
}

by this :

$server | ForEach-Object {$a++}

Thanks for that script, looking good so far. However, I fear there's an issue with "Expired Users - not disabled". I can imagine this is down to "Get-Date". It also matches users with an expiry date in the future which obviously is wrong. Adding a "-Format "dd.MM.yyyy HH:mm"" also returns the list containing too many users. Any idea?

You're welcome :)

Always happy to give back. Thanks a bunch to you for coming up with that. Saved time to self-develop.

Hi, where and how can I set a specific OU? I locked out one user for a test but the script shows 0 locked out users. I think the script is looking in the wrong OU.

Script doesn't cehck for a specific OU.

Bear in mind that lock out status needs to be synced between DCs so at the point of time you ran the script, it might either be not synced yet or account may have already unlock again, depending on your domain settings.

Hi,

the output of this script showed many (really many) users for the channel "Users with password never expires". I thought that this could not be true. Having a closer look at the script I saw this:

#users with not expiring passwords and are enabled and not expired
$NotExpiringPWD=Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate

Shouldn't it be PasswordNeverExpires -eq $True ?

Good catch... it is a while that I played around with that script.. interestingly no one ever complained, lol...

You can easily run those commands manually and compare the output to Active Directory manually..

In theory there is more that should be adjusted here... cause the $ExpiredUsers filters for Password never expires $false as well.. so this would be a more updated version of the script

Additionally I added a few notes about how to filter OUs and execute it on a specific server.. in theory the whole script could be changed so it accepts parameter and does everything more variable.. but that's for another day..

Import-Module ActiveDirectory

#you could add - filters, a OU limitation or a server against whom this would be executed.. see Get-ADUser options for more details
#$Server = ""
#$OU = ""
#Get-ADUser -Server $Server -Filter
#Get-ADUser -SearchBase $OU -Filter

#all locked users that aren't disabled or expired
$LockedOutUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {$_.lockedout -eq $True -and (($_.AccountExpirationDate -gt (Get-Date) -or ($_.AccountExpirationDate -eq $null)))} 

#all users that are disabled - this is a manual action in Active Directory
$DisabledUsers=Get-ADUser -Filter {Enabled -eq $False -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate

#all users that are not disabled but expired already
$ExpiredUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {(($_.AccountExpirationDate -lt (Get-Date) -and ($_.AccountExpirationDate -ne $null)))} 

#users with not expiring passwords and are enabled and not expired
$NotExpiringPWD=Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate 


If ($LockedOutUsers.count -eq $null -and $LockedOutUsers -eq $null){
    $cntLockedOutUsers=0
}Elseif ($LockedOutUsers.count -eq $null -and $LockedOutUsers -ne $null){
    $cntLockedOutUsers=1
}Else{
    $cntLockedOutUsers=@($LockedOutUsers.count)
}

If ($DisabledUsers.count -eq $null -and $DisabledUsers -eq $null){
    $cntDisabledUsers=0
}Elseif ($DisabledUsers.count -eq $null -and $DisabledUsers -ne $null){
    $cntDisabledUsers=1
}Else{
    $cntDisabledUsers=@($DisabledUsers.count)
}

If ($ExpiredUsers.count -eq $null -and $ExpiredUsers -eq $null){
    $cntExpiredUsers=0
}Elseif ($ExpiredUsers.count -eq $null -and $ExpiredUsers -ne $null){
    $cntExpiredUsers=1
}Else{
    $cntExpiredUsers=@($ExpiredUsers.count)
}

If ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -eq $null){
    $cntNotExpiringPWD=0
}Elseif ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -ne $null){
    $cntNotExpiringPWD=1
}Else{
    $cntNotExpiringPWD=@($NotExpiringPWD.count)
}

$XML += "<prtg>"
$XML += "<result>" 
$XML += "<channel>Locked Out Users</channel>" 
$XML += "<value>$cntLockedOutUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Disabled Users</channel>" 
$XML += "<value>$cntDisabledUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Expired Users - not disabled</channel>" 
$XML += "<value>$cntExpiredUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Users with password never expires</channel>" 
$XML += "<value>$cntNotExpiringPWD</value>" 
$XML += "</result>"
$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)
{
    $StringWriter = New-Object System.IO.StringWriter;
    $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
    $XmlWriter.Formatting = "indented";
    $xml.WriteTo($XmlWriter);
    $XmlWriter.Flush();
    $StringWriter.Flush();
    Write-Output $StringWriter.ToString();
}

WriteXmlToScreen $XML

Hi,

I am trying to use the above script (PRTG v.18.4.46.1754) but i'm getting the below error:

XML: The returned XML does not match the expected schema. (code: PE233) -- JSON: The returned JSON does not match the expected structure (Invalid JSON.). (code: PE231)

Any ideas?

Dear lzsembera,

in order to debug this, please open the Settings tab of the sensor and enable "Write Exe result to disk".

After the next scans, the logs appear in "C:\ProgramData\Paessler\PRTG Network Monitor\Logs (Sensors)".

If you look at the Powershell output included in the log, do you see the cause of the script execution error?

Hi I have implemented this script, but even in a Powershell ISE session it errors when it comes to writing out the results:-

WriteXmlToScreen : Cannot process argument transformation on parameter 'xml'. Cannot convert value "<prtg><result><channel>Locked Out Users</channel><value>0</value></result><result><channel>Disabled Users</channel><value>0</value></result><result><channel>Expired Users - not disabled</channel><value>0</value></result><result><channel>Users with password never expires</channel><value>0</value></result></prtg><prtg><result><channel>Locked Out Users</channel><value>0</value></result><result><channel>Disabled Users</channel><value>558</value></result><result><channel>Expired Users - not disabled</channel><value>3</value></result><result><channel>Users with password never expires</channel><value>408</value></result></prtg><prtg><result><channel>Locked Out Users</channel><value>0</value></result><result><channel>Disabled Users</channel><value>558</value></result><result><channel>Expired Users - not disabled</channel><value>3</value></result><result><channel>Users with password never expires</channel><value>408</value></result></prtg><prtg><result><channel>Locked Out Users</channel><value>0</value></result><result><channel>Disabled Users</channel><value>558</value></result><result><channel>Expired Users - not disabled</channel><value>3</value></result><result><channel>Users with password never expires</channel><value>408</value></result></prtg>" to type "System.Xml.XmlDocument". Error: "This document already has a 'DocumentElement' node." At line:84 char:18 + WriteXmlToScreen $XML + ~~~~ + CategoryInfo : InvalidData: (:) [WriteXmlToScreen], ParameterBindingArgumentTransformationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,WriteXmlToScreen

Any guidance?

Hi Ian,

The XML data posted from you looks like this:

<prtg>
<result><channel>Locked Out Users</channel><value>0</value></result>
<result><channel>Disabled Users</channel><value>0</value></result>
<result><channel>Expired Users - not disabled</channel><value>0</value></result>
<result><channel>Users with password never expires</channel><value>0</value></result>
</prtg>

<prtg>
<result><channel>Locked Out Users</channel><value>0</value></result>
<result><channel>Disabled Users</channel><value>558</value></result>
<result><channel>Expired Users - not disabled</channel><value>3</value></result>
<result><channel>Users with password never expires</channel><value>408</value></result>
</prtg>

<prtg>
<result><channel>Locked Out Users</channel><value>0</value></result>
<result><channel>Disabled Users</channel><value>558</value></result>
<result><channel>Expired Users - not disabled</channel><value>3</value></result>
<result><channel>Users with password never expires</channel><value>408</value></result>
</prtg>

<prtg>
<result><channel>Locked Out Users</channel><value>0</value></result>
<result><channel>Disabled Users</channel><value>558</value></result>
<result><channel>Expired Users - not disabled</channel><value>3</value></result>
<result><channel>Users with password never expires</channel><value>408</value></result>
</prtg>

Did you modify the script? I don't see any reason that the output would a) put in to the $XML value 4x times nor that you would have all 0s in the first XML Element group...

Florian

Forgive my ignorance, how do i install this?

Copy the script to EXEXML folder, restart Probe/Core then you can select it for custom script monitoring

Correct count of locked users is:

#If ($LockedOutUsers.count -eq $null -and $LockedOutUsers -eq $null){
#    $cntLockedOutUsers=0
#}Elseif ($LockedOutUsers.count -eq $null -and $LockedOutUsers -ne $null){
#       $cntLockedOutUsers=1
#}Else{
#    $cntLockedOutUsers=@($LockedOutUsers.count)
#}
$cntLockedOutUsers=@(Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {$_.lockedout -eq $True -and (($_.AccountExpirationDate -gt (Get-Date) -or ($_.AccountExpirationDate -eq $null)))}).count

Add before line:

$XML += "</prtg>"

this line:

$XML += "<text>$LockedOutUsers</text>"

to display locked users name in "Last Message"

Is there a way to set alerts based on the status? For instance, if the sensor reports a locked out user - it will send an alert or notification? If so, how do I do that?

Thanks!

Hello,

indeed, you can use PRTG's alerting to perform actions on specific statuses.

Hi, guys! Is it possible to set alert sent out every time when someone is locked? I play with Notification Triggers settings and no luck so far. I am new to PRTG and just hoping to get some guidance. Thank you!

Hello,

the closest thing would be the Change Trigger.

However that one registers changes of the sensor value which in this case could stay the same even if a new user is logged out (since another user could be no longer locked out then).

Hi,

I'm new to PRTG and have imported the script, which does alert when accounts are locked, which is great. However I also get the following message:

Response not well-formed: "(<prtg> <result> <channel>Locked Out Users</channel> <value>0</value> </result> <text></text> </prtg> )" (code: PE132)

This is either wrapped around the locked users or when no accounts are locked it just looks like above. Is there any way to get rid of this message?

Hello,

in this case, please check if you use the Exe/Script Advanced sensor (not the non-advanced version).