Получать уведомления о неправильном вводе пароля по почте.

snark · Конфигурация компьютера

На контроллере домена создал задание с триггером

Код:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(Level=4 or Level=0) and (EventID=4740)]]</Select>
  </Query>
</QueryList>

К этому событию привязал выполнение Powershell скрипта:

Код:

$Theme = "Account have been locked out:" 
$Server = "10.200.100.1" 
$From = "AccountLockNotify@kontora.ru"
$To = "admin.1@kontora.ru","admin.2@kontora.ru" 
$encoding = [System.Text.Encoding]::UTF8

$Body = Get-WinEvent -maxevents 1 -FilterHashtable @{LogName = "Security";ID = 4740;StartTime = (Get-Date).AddSeconds(-120)} | Select TimeCreated,@{n = "Account";e = {([xml]$_.ToXml()).Event.EventData.Data | `
?{$_.Name -eq "TargetUserName"} | %{$_.'#text'}}}, @{n="Computer name";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetDomainName"}| %{$_.'#text'}}}
$LockedUC = $Body -split '[;=}]'
$body = $body -replace "@{" -replace "}" -replace "=", ": " -replace ";","`n" -replace "TimeCreated","Time Created" -replace "^","`n" 
$BodyM = $Body
$Subject = "Account locked out: " + $LockedUC[3] + " @ " + $LockedUC[5]
Send-MailMessage -From $From -To $To -SmtpServer $server -Body "$Theme `n$BodyM" -Subject $Subject -Encoding $encoding