2007-07-19, 06:35 #1
- Join Date
- Nov 2002
- Farnborough, Hampshire, England
- Thanked 0 Times in 0 Posts
Locked User Account Notification (Windows 2003)
Our network's security policy is to lock user accounts after 5 unsuccessful logon attempts. Although it creates a bit of admin work and user frustration, it generally works well. However, some "process" accounts (i.e. ones created for a particular purpose rather than a person) also get locked out sometimes, and these locks often go unnoticed until something's gone badly wrong.
Is there a way of being notified when an account becomes locked?
I've thought of one possible solution (a batch file running a VB script, that populates a database with locked accounts, that is then interrogated by a reporting system that can send out alerts), but it seems a bit cumbersome, and I wonder if there's a better way. Are there any tools that might help, either built in to Windows or available to buy?
Subscribe to our Windows Secrets Newsletter - It's Free!
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
+ Get this BONUS — free!
Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!
2007-07-19, 10:29 #2
- Join Date
- Jan 2001
- Quedgeley, Gloucester, England
- Thanked 1 Time in 1 Post
Re: Locked User Account Notification (Windows 2003
You may be able to improve on the following BATch file for NT4 from a little time ago...<pre>@echo off
:: +----------+ test status of GRAJ03 every so often
:: I UNLOCKME I and unlock the account if found locked
:: +----------+ John Gray 10FEB1999
echo %~n0 is intended to run continuously ...
echo GRAJ03 was unlocked at the following times:
:: is our account locked out?
net user graj03 /domain | find "Locked" >nul
:: if not locked, just wait for a time interval to expire
if errorlevel 1 goto waitabit
:: put a time message on the screen
for /f %%a in ('time /t') do echo GRAJ03 unlocked at %%a
:: and set the account active again
net user graj03 /active /domain >nul
:: then go immediately to test the status
:: wait time where value is[ number of seconds waited + 1]
ping -n 58 127.0.0.1 > nul
This has to be run in a Domain Admins-type account on another machine.
Note that I write better BATch files 8<font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>
Ita, esto, quidcumque...