Account Lockouts

Question

Mainly because we are heavy ActiveSync users, we have a lot of issues with AD Account lockouts. I'd like to have an automated way to detect account lockouts, and take an action (send an email, etc.) based on that condition.

Now, I have a powershell script that I use to check the condition of this, but I can't run the scheduled task in adaxes with enough frequency for it to fire appropriately.

Do you have a way to check for this condition?

Comments

Hello,

Please, clarify: do you want to run your script more often than once an our or the issue is that your script does not detect locked account correctly?

---

The script that I have does correctly detect the locked-out accounts. The problem now is that I cannot run the event say, ever 30 minutes.

But, addtionally, if there is already a variable or Adaxes condition for locked status, please avise me so that I can implement this.

Answer 1

Hello,

It is impossible to run a Scheduled Task more often than once an hour. This feature is in our TODO list. Most probably, it will be implemented in Adaxes version 2013.1 that is planned for late January.

As for checking if an account is locked, there is no built-in condition to check if an account is locked, but you can use the If PowerShell script returns true condition for this purpose.

To add such a condition to your Scheduled Task:

1. Right-click the set of actions and conditions of your Scheduled Task.

2. Click Add Condition....

3. Add the If PowerShell script returns true condition and paste the following script:

    $Context.ConditionIsMet = $Context.TargetObject.IsAccountLocked

   

The script uses the IsAccountLocked property of the user object. As an option, you can use it in your own script, for example:

$isAccountLocked = $Context.TargetObject.IsAccountLocked
if ($isAccountLocked)
{
  # TODO: add some code here.
}

Comments

Thank you for the response. That is, in effect, what I'm using. So, the limitation is that this can only "fire" on demand when the script is run manually or a maximum of once per day.

---

Joe,

The minimum time interval for a Scheduled Task is once an hour.

---

Starting from Adaxes 2013.1, Schedules Tasks can be set up to run every N minutes.

Also, now you don't need a script to checked whether an account is locked out. Use the If account is locked out / not locked out condition.

---

Perfect! I've already changed the task.

---

How would I check every single user in my AD?

Would I just created a for-each loop...? Would anyone mind posting code that does this?

---

Hello Michael,

The posts in this topic suggest that you create a Scheduled Task. On the final step of the Create Scheduled Task wizard, you are supposed to specify an Activity Scope for the task. A Scheduled Task Activity Scope defines the objects for which the task will be run. If you include All objects in the Activity Scope of a Scheduled Task created per the above instructions, this will mean that the task will run for each user account in your Active Directory. In other words, it will check each user.