It is a good to know how many of your user accounts are locked out right now… I would go as far as saying you should monitor this and have alert levels on it, cause this could indicate and reveal a brute-force like attack against your system.
Doing it manually in a PowerShell (assuming you have RSAT / Active-Directory PowerShell modules installed) can be done with the following command that will show you who is locked out and the calculated amount as well..
1 2 3 | $s=Search-ADAccount -LockedOut |ft $s 'CurrentCount: ' + $s.count |
Using PRTG you can add the following advanced script
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | Import-module activedirectory $Count=-1 $Accounts = Search-ADAccount -LockedOut $Count=$Accounts.Count $Users = "" foreach ($user in $Accounts) { if ($Users.Length -gt 0) { $Users += " / " } $Users += $user.SamAccountName } $XML = "<prtg>" $XML += "<result><channel>LDAP accounts locked out</channel><value>$Count</value><unit>Count</unit></result>" $XML += "<text>$Users</text>" $XML += "</prtg>" Function WriteXmlToScreen ([xml]$xml) { $StringWriter = New-Object System.IO.StringWriter; $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter; $XmlWriter.Formatting = "indented"; $xml.WriteTo($XmlWriter); $XmlWriter.Flush(); $StringWriter.Flush(); Write-Output $StringWriter.ToString(); } WriteXmlToScreen $XML |
After adding it as a sensor, it will create a single channel with the amount of locked out users. You should set error limits:
- minimum error limit: 0
- the script returns -1 if an error occurred
- maximum error limit: this depends on your user base – I would say about 5% of your users – no more.. depends as well on the lockout-duration in your security policy…
The advantage of the script in PRTG is – it always reports back additional text – the currently locked out SamAccount names.. respective user-names.. so in case it generates an error – you will see some more information…
Assuming there is a brute-force, you might see this sparking and going down – meaning someone tries to find an entry account… since the lockout attribute causes an emergency-replication of your domain-controllers (this attribute bypasses the regular replication interval) you can fire it relatively simply against your domain, the script just uses the current logon domain of the executing user.
