Results 1 to 2 of 2
  1. #1
    Lounger
    Join Date
    Nov 2002
    Location
    Farnborough, Hampshire, England
    Posts
    39
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Locked User Account Notification (Windows 2003)

    Our network's security policy is to lock user accounts after 5 unsuccessful logon attempts. Although it creates a bit of admin work and user frustration, it generally works well. However, some "process" accounts (i.e. ones created for a particular purpose rather than a person) also get locked out sometimes, and these locks often go unnoticed until something's gone badly wrong.

    Is there a way of being notified when an account becomes locked?

    I've thought of one possible solution (a batch file running a VB script, that populates a database with locked accounts, that is then interrogated by a reporting system that can send out alerts), but it seems a bit cumbersome, and I wonder if there's a better way. Are there any tools that might help, either built in to Windows or available to buy?

  2. #2
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Locked User Account Notification (Windows 2003

    You may be able to improve on the following BATch file for NT4 from a little time ago...<pre>@echo off
    :: +----------+ test status of GRAJ03 every so often
    :: I UNLOCKME I and unlock the account if found locked
    :: +----------+ John Gray 10FEB1999
    echo %~n0 is intended to run continuously ...
    echo GRAJ03 was unlocked at the following times:
    :start
    :: is our account locked out?
    net user graj03 /domain | find "Locked" >nul
    :: if not locked, just wait for a time interval to expire
    if errorlevel 1 goto waitabit
    :: put a time message on the screen
    for /f %%a in ('time /t') do echo GRAJ03 unlocked at %%a
    :: and set the account active again
    net user graj03 /active /domain >nul
    :: then go immediately to test the status
    goto start
    :waitabit
    :: wait time where value is[ number of seconds waited + 1]
    ping -n 58 127.0.0.1 > nul
    goto start</pre>

    This has to be run in a Domain Admins-type account on another machine.

    Note that I write better BATch files 8
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •