Email Account Lock Out Notification - Powershell

Question

I will like to email the SysAdmin event id 4625 (Account lockout) occurs.

I have the following code, and it works just find. See output attached:

Current code:

$AccountLockOutEvent = Get-EventLog -LogName "Security" -InstanceID 4625 -Newest 1
$LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
$AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated
$AccountLockOutEventMessage = $AccountLockOutEvent.Message
$messageParameters = @{ 
Subject = "Account Locked Out: $LockedAccount" 
Body = "Account $LockedAccount was locked out on $AccountLockOutEventTime..`n`nEvent 
Details:`n`n$AccountLockOutEventMessage"
From = "" 
To = "" 
SmtpServer = ""
} 
Send-MailMessage @messageParameters

Question to Powershell gurus

1 - How can I capture the exact reason for lockout instead of %%2313 and other information such as the samaccountname. Instead using Account locked out s-1-0-0 in the subject line, I want to see the Account name there.
2 - is there a way get the ADuser information so that we can email the user at thesame time informing that that their account was locked out to contact the SysAdmin to unlock the account?

Answer 1

You can use this snippet to get an output that contains the fields you need. SubjectUserName and SubjectDomainName.

$events = Get-WinEvent -FilterHashtable @{logname='Security'; ID=4625; } -MaxEvents 1 
$event = $events
[xml]$eventXML = [xml]$Event.ToXml()
$eventXML.Event.EventData.Data

Output will look like this.

Name              #text       ----              -----   
SubjectUserSid    S-0-0-00-0000000000-0000000000-0000000000-0000       
SubjectUserName   MyUsername      
SubjectDomainName MyHostname           
SubjectLogonId    0x00000000           
PrivilegeList     SeSecurityPrivilege