locked
Account Lockout and Automatic Email notification to Managers RRS feed

  • Question

  • Currently we are trying to reduce number of remedy tickets and would like to hand-over unlock operations to users manager or reporting officer.

    I know it is simply very possible to create a script and report about the locked out users every defined number of minutes. But what i want to achieve is simply in below way:

    1. User ID get locked.
    2. Automatically send email to target user's manager or Reporting Officer.
    3. Manager or Reporting Officer unlocks the user ID (We will give delegation for Maangers to only Unlock AD User Accounts).
    4. User login to PC without contact support desk and we can reduce number of Remedy tickets getting generated.

    Thanks for reading my question.

    Monday, November 16, 2015 2:13 AM

Answers

  • Dear All,

    Thank you for your suggestions.

    I think below is something that might be helpful for my case of scenerio.

    https://gallery.technet.microsoft.com/Script-to-check-locked-66270d0c

    • Proposed as answer by Mary Dong Thursday, November 19, 2015 8:28 AM
    • Marked as answer by Mary Dong Tuesday, December 1, 2015 2:20 AM
    Thursday, November 19, 2015 7:19 AM
  • Hi V-2sahs,

    The script you linked finds all locked out accounts and sends an email to the person designated as manager for each such user. If this part meets your needs, I would suggest that the last statement, which unlocks the account, be removed. This statement can be in a separate script used by the manager's themselves to unlock the account. This way, the account is not automatically unlocked as soon as it becomes locked, but allows the manager to consider the situation, and perhaps contact the person to make sure it was they that locked the account instead of an intruder.

    Also, let us know if the script works, as it appears to send the email to the distinguished name of the manager. It also requires PowerShell V5, so I cannot test it now.


    Richard Mueller - MVP Directory Services

    • Marked as answer by Mary Dong Tuesday, December 1, 2015 2:20 AM
    Thursday, November 19, 2015 1:28 PM

All replies

  • Hi V-2sahs,

    Thanks for your post.

    >Automatically send email to target user's manager or Reporting Officer

    You may use the related scripts to send account lockout email notification for the persons in charge.

    https://gallery.technet.microsoft.com/scriptcenter/How-to-send-account-cdae5b39

    http://blogs.technet.com/b/onescript/archive/2014/07/17/script-of-july-17-how-to-send-account-lockout-email-notification.aspx

    >Manager or Reporting Officer unlocks the user ID (We will give delegation for Maangers to only Unlock AD User Accounts).

    And for delegating control of unlock rights to those persons in charge, you could use delegation contorl of Wizard

    Here is the article for more details.

    How To Delegate the Unlock Account Right

    https://support.microsoft.com/en-us/kb/294952

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 16, 2015 5:59 AM
  • If you want to do that with a script, have a look at this https://community.spiceworks.com/how_to/11824-email-account-lock-out-notification

    There's also a tool called Adaxes that can help you with that. It allows you to trigger a task that would send email notification to the manager of the user whose account was locked (or any other user in AD). After that you can unlock account/reset password through a convenient WebUI (http://www.adaxes.com/active-directory_web-interface). 

    You can also either allow your users to do it by themselves (http://www.adaxes.com/active-directory_self-service-password-reset) or delegate it to managers. So it seems that everything that you're asking for is fulfilled.

    Monday, November 16, 2015 7:02 AM
  • Hi Mary,

    Thank you for your reply.

    I agree and understand that we can send it to the user or Admin or CC someone.

    Is it technically possible to find that Target Users manager from some CSV or excel file and send an Email to his manager?

    Monday, November 16, 2015 7:02 AM
  • Hi V-2sahs,

    As far as I know, there's no such build-in settings that could filter the Target Users manager directly and send the e-mail notification. And as I said before, you could use scripts to send account lockout email notification for the specific persons. For finding the target user's manager directly at the same time and then send e-mail, you may try to use scripts. I suggest you could confirm this in scripts forum.

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?category=scripting

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 16, 2015 9:34 AM
  • Dear All,

    Thank you for your suggestions.

    I think below is something that might be helpful for my case of scenerio.

    https://gallery.technet.microsoft.com/Script-to-check-locked-66270d0c

    • Proposed as answer by Mary Dong Thursday, November 19, 2015 8:28 AM
    • Marked as answer by Mary Dong Tuesday, December 1, 2015 2:20 AM
    Thursday, November 19, 2015 7:19 AM
  • Apart from above suggestion, you can also check out this informative technet resource ( 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/81cb2e53-29c5-43dd-9039-b1ffa0296354/account-lockout-and-management-tools?forum=winserversecurity

    ) that helps to account lockout . You can try this self service password reset tool from http://www.selfservicepasswordreset.org/  which allows reset forgotten passwords, troubleshoot account lockouts and unlock their locked accounts by themselves only without asking the help-desk person.This software is unified with GINA settings which enables to unlock account and reset forgotten password directly from login screen.


    • Edited by andyla Thursday, November 19, 2015 9:50 AM
    Thursday, November 19, 2015 9:49 AM
  • Hi V-2sahs,

    The script you linked finds all locked out accounts and sends an email to the person designated as manager for each such user. If this part meets your needs, I would suggest that the last statement, which unlocks the account, be removed. This statement can be in a separate script used by the manager's themselves to unlock the account. This way, the account is not automatically unlocked as soon as it becomes locked, but allows the manager to consider the situation, and perhaps contact the person to make sure it was they that locked the account instead of an intruder.

    Also, let us know if the script works, as it appears to send the email to the distinguished name of the manager. It also requires PowerShell V5, so I cannot test it now.


    Richard Mueller - MVP Directory Services

    • Marked as answer by Mary Dong Tuesday, December 1, 2015 2:20 AM
    Thursday, November 19, 2015 1:28 PM
  • Thank you, Richard.

    I'm going to try and update.

    Wednesday, December 2, 2015 4:38 AM
  • Andyla, I agree selfservice is a great too which we are already using but users tend to forget their secret questions and answers.

    I'm plannning to replace it with MIM/FIM

    Wednesday, December 2, 2015 4:39 AM