POWERSHELL Scheduled Task creation, collecting failed login information in DC and mail notification

(Note: This article refers to the following predecessor article modified, source article connection: http://itadmindev.blogspot.hk/2011/07/powershell-ad-dc-failed-logins-report.html)

The original script is only used to collect statistics AD, in the past day, EventID 4625 account login failed IP, hostname and number of logins.

EventID the corresponding content can refer to the following: HTTP://SUPPORT.MICROSOFT.COM/KB/947226/ZH-CN

I am now on demand, modified to need to collect the information in the past day, ID 4771:kerberos authentication failed, mainly refers to the authentication failed in the AD account, the client, the concurrent mail notification to the mailbox.

1. Enable DC Audit function

Modify the GPO for Defaultdomaincontrollerpolicy, enable auditaccountlogonevents/auditlogonevents

2. Modify PowerShell Execution policy

Because the default PowerShell policy is not able to execute unsigned PS1, when we call directly, the following error occurs:

Refer to KB:

Http://technet.microsoft.com/zh-CN/library/hh847748.aspx

Http://technet.microsoft.com/zh-cn/library/ee176949.aspx

The PS script that we have modified to edit is unauthenticated, so we need to modify the policy as follows:

1) Review the current execution policy: Get-executionpolicy

Display as: Restricted, that is, only the registered PS script can be executed.

2) Modify execution policy to remotesigned:set-exectionpolicyremotesigned

Then enter "Y" to confirm the modification.

3) Review the current execution policy again: Get-executionpolicy,

Shown as: remotesigned

3. Download and modify PowerShell code

In the accessory PS, please modify the following content yourself:

1) dcname

PS script in the 25th line in parentheses for your existing DC name, if there are more than one, please manually modify the actual DC name for you, such as: dc001,dc002

[Email protected] ("dc001", "dc002")

2) SMTP Settings section

The 第134-136 line in the PS script is modified to the sender, the recipient's mail address, and the host name or IP address of the internal SMTP server:

from= "[email protected]"

to= "[email protected]"

Smtpserver= "mail.sysmicro.cn"

The above PS script modified, first manual execution, to ensure that the normal after execution, no error, save as *.PS1 file, to facilitate the call at any time!

4. Add PowerShell to the scheduled task and run automatically.

If you need to set a daily fixed time to run, the day before the authentication failed to notify the designated person, you can create a scheduled task, specify a fixed time to run, specific methods can be consulted:

http://blogs.technet.com/b/heyscriptingguy/archive/2012/08/11/ Weekend-scripter-use-the-windows-task-scheduler-to-run-a-windows-powershell-script.aspx

1) Create a plan for any

Start\allprograms\administrativetools\taskscheduler, choose Createbasictask on the right ...

2) in the task name that you created, enter the name you want, such as: Adfailedlogonreport, and then next:

3) Task run time, select Daily, then next;

4) Choose the time of day to run, according to your needs, after the definition, the next step:

5) In the Action option, select: StartProgram, and then next:

6) in the Program/script, click Browse, select the 3rd step just saved. PS1 file, and then modify it to: Powershell–file "D:\Script\AD_DCs_Failed_Login_Report_4771_51cto.ps1", and then Next:

7) Select "Yes" in the pop-up TaskScheduler

8) in finish, tick: Openthepropertiesdialogfortaskwheniclickfinish, then click Done

9) After completion, you can preview the task properties, in general, select: Runwhetheruserisloggedonornot, that is, if the user is logged in, do this task, click OK to complete the exit!

Description: The above methods for your reference, we can modify the needs of the EventID query you want information!

After testing in my working environment, the effect is good, if the past day, there is no failure of authentication, received the message as a blank table, as follows:

If the past day, there is a failure of the authentication, you can display the specific IP, account number, failure, the administrator just can follow this information on the corresponding IP address of the computer, the account to check, in order to eliminate security risks!

POWERSHELL Scheduled Task creation, collecting failed login information in DC and mail notification