Locked User Account Notification (Windows 2003)
Our network's security policy is to lock user accounts after 5 unsuccessful logon attempts. Although it creates a bit of admin work and user frustration, it generally works well. However, some "process" accounts (i.e. ones created for a particular purpose rather than a person) also get locked out sometimes, and these locks often go unnoticed until something's gone badly wrong.
Is there a way of being notified when an account becomes locked?
I've thought of one possible solution (a batch file running a VB script, that populates a database with locked accounts, that is then interrogated by a reporting system that can send out alerts), but it seems a bit cumbersome, and I wonder if there's a better way. Are there any tools that might help, either built in to Windows or available to buy?
Re: Locked User Account Notification (Windows 2003
You may be able to improve on the following BATch file for NT4 from a little time ago...<pre>@echo off
:: +----------+ test status of GRAJ03 every so often
:: I UNLOCKME I and unlock the account if found locked
:: +----------+ John Gray 10FEB1999
echo %~n0 is intended to run continuously ...
echo GRAJ03 was unlocked at the following times:
:: is our account locked out?
net user graj03 /domain | find "Locked" >nul
:: if not locked, just wait for a time interval to expire
if errorlevel 1 goto waitabit
:: put a time message on the screen
for /f %%a in ('time /t') do echo GRAJ03 unlocked at %%a
:: and set the account active again
net user graj03 /active /domain >nul
:: then go immediately to test the status
:: wait time where value is[ number of seconds waited + 1]
ping -n 58 127.0.0.1 > nul
This has to be run in a Domain Admins-type account on another machine.
Note that I write better BATch files 8