Use this Knowledge Script to monitor the number of locked user accounts in the selected a domain or organizational unit. This script raises an event if the number of locked user accounts exceeds the threshold you set.
You can set this script to automatically unlock any accounts that are found to be locked. You can also enter a comma-separated list of accounts to be unlocked. Leave the List of accounts to unlock parameter blank to unlock all locked accounts.
This script includes an option to ignore user accounts that have been disabled.
HINT:If your organization experiences a large number of locked accounts, this script can automatically reset them, thereby saving the organization roughly $50 per locked-out user, according to a common industry estimate.
Active Directory domain or organizational unit (OU)
To monitor OUs with this script, specify organizationalUnit in the Classes to include parameter of the Discovery_ActiveDS Knowledge Script.
When run on an OU, this script monitors all locked user accounts in that OU and any child OUs. The total number of locked user accounts for an OU consists of all locked user accounts in the OU and in any child OUs.
When you run this script on a domain, the domain and all child OUs will show a job is running. However, when the script is run on a domain, the script runs only on the domain and not on the child OUs.
The default interval for this script is Every 24 hours.
Set the following parameters as needed:
|
Parameter |
How to Set It |
|---|---|
|
General Settings |
|
|
Raise event if job fails |
|
|
Event severity when job fails |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the NumberOfUsersLocked job fails. The default is 35. |
|
Monitor number of locked user accounts |
|
|
Omit disabled accounts? |
Select Yes to ignore disabled user accounts when checking for locked user accounts. By default, this script includes disabled accounts when checking for locked user |
|
Enable job delegation? |
Select Yes to enable the delegation of the job to another server where appropriate. If enabled, runs the job on the selected computer that holds the server role that you selected for the Delegate domain-wide monitoring to the... parameter. The default is unselected. For more information, see Section 3.1, AD Knowledge Script Job Delegation. |
|
Delegate domain-wide monitoring to the |
Select the server role to which the job should be delegated: Primary Domain Controller (PDC), Infrastructure Master, or RID Master. The default is PDC. |
|
Raise event when DC assumes this role? |
If you enabled job delegation, set to Yes to raise events if the DC assumes the server role you selected for the Delegate domain-wide monitoring to the... parameter. The event indicates that the monitored computer has assumed the selected role. The default is Yes. |
|
Event severity when DC assumes this role |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the DC assumes the role you selected for the Delegate domain-wide monitoring to the... parameter. The default is 30. |
|
Raise event when DC relinquishes this role? |
If you enabled job delegation, set to Yes to raise events if the DC gives up the server role you selected for the Delegate domain-wide monitoring to the... parameter. The event indicates that the monitored computer has relinquished the selected role. The default is Yes. |
|
Event severity when DC relinquishes this role |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the DC relinquishes the role you selected for the Delegate domain-wide monitoring to the... parameter. The default is 30. |
|
Event Notification |
|
|
Raise event if number of locked user accounts exceeds threshold? |
Select Yes to raise an event if the number of locked user accounts exceeds the threshold you set. The default is Yes. |
|
Threshold -- Maximum number of locked user accounts |
Specify the maximum number of locked user accounts that can be in the domain naming context before an event is raised. The default is 10 locked accounts. |
|
Event severity when number of locked accounts exceeds threshold |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the number of locked user accounts exceeds the threshold. The default is 5. |
|
Data Collection |
|
|
Collect data for number of locked user accounts? |
Select Yes to collect data for charts and reports. If enabled, data collection returns the number of locked user accounts detected in the interval. The default is unselected. |
|
Remediation |
|
|
Unlock accounts that are locked? |
Select Yes to automatically unlock locked user accounts. The default is unselected. |
|
List of accounts to unlock |
If you enabled the previous parameter, list specific user accounts to unlock, or leave the field blank to unlock all locked user accounts. Separate multiple entries with commas and no spaces. For example, to only unlock specific accounts, enter: wolfpack,serge,elan NOTE:Use the account name as it is displayed in the Users and Computers administrative tool. The names specified will match any part of an account name. |