Adaxes

Account Lockouts

0 votes

Mainly because we are heavy ActiveSync users, we have a lot of issues with AD Account lockouts. I'd like to have an automated way to detect account lockouts, and take an action (send an email, etc.) based on that condition.

Now, I have a powershell script that I use to check the condition of this, but I can't run the scheduled task in adaxes with enough frequency for it to fire appropriately.

Do you have a way to check for this condition?

by (470 points)
0

Hello,

Please, clarify: do you want to run your script more often than once an our or the issue is that your script does not detect locked account correctly?

by (216k points)
0

The script that I have does correctly detect the locked-out accounts. The problem now is that I cannot run the event say, ever 30 minutes.

But, addtionally, if there is already a variable or Adaxes condition for locked status, please avise me so that I can implement this.

by (470 points)

1 Answer

0 votes
by (216k points)

Hello,

It is impossible to run a Scheduled Task more often than once an hour. This feature is in our TODO list. Most probably, it will be implemented in Adaxes version 2013.1 that is planned for late January.

As for checking if an account is locked, there is no built-in condition to check if an account is locked, but you can use the If PowerShell script returns true condition for this purpose.

To add such a condition to your Scheduled Task:

  1. Right-click the set of actions and conditions of your Scheduled Task.

  2. Click Add Condition....

  3. Add the If PowerShell script returns true condition and paste the following script: 

     $Context.ConditionIsMet = $Context.TargetObject.IsAccountLocked

The script uses the IsAccountLocked property of the user object. As an option, you can use it in your own script, for example: 

$isAccountLocked = $Context.TargetObject.IsAccountLocked
if ($isAccountLocked)
{
  # TODO: add some code here.
}
0

Thank you for the response. That is, in effect, what I'm using. So, the limitation is that this can only "fire" on demand when the script is run manually or a maximum of once per day.

by (470 points)
0

Joe,

The minimum time interval for a Scheduled Task is once an hour.

by (216k points)
0

Starting from Adaxes 2013.1, Schedules Tasks can be set up to run every N minutes.

Also, now you don't need a script to checked whether an account is locked out. Use the If account is locked out / not locked out condition.

by (216k points)
0

Perfect! I've already changed the task.

by (470 points)
0

How would I check every single user in my AD?

Would I just created a for-each loop...? Would anyone mind posting code that does this?

by (0 points)
0

Hello Michael,

The posts in this topic suggest that you create a Scheduled Task. On the final step of the Create Scheduled Task wizard, you are supposed to specify an Activity Scope for the task. A Scheduled Task Activity Scope defines the objects for which the task will be run. If you include All objects in the Activity Scope of a Scheduled Task created per the above instructions, this will mean that the task will run for each user account in your Active Directory. In other words, it will check each user.

by (216k points)

Related questions

0 votes
1 answer
Check for existing user account after user disable

Hello, When a user is disabled (firstname.lastname@company.com) we would like to to perform a check if a user account "admin-firstname.lastname@company.com" exists in ... email with this information. Could this be done with powershell? Best Regards, Maarten

asked Mar 18 by maarten.vaes (70 points)
0 votes
1 answer
Create group on account creation if it doesn't already exist

Hello, When a user account is created, we would like for that user to be added to a group whose name is based on a certain naming convention. If the group doesn't yet exist ... If that group doesn't exist, it will first create the group and then add the user.

asked Mar 11 by sjjb2024 (60 points)
0 votes
1 answer
Is there a way to update the account expiry after a user logs into a computer?

Hello, I'm trying to create a business rule that will update a user account expiry date when that user logs in for the first time. I'm new to Adaxes, so I don't have a ... updated by a user's action, such as "Last Logon". Is it possible to make this work?

asked Mar 6 by sjjb2024 (60 points)
0 votes
1 answer
Account Expiry update via csv import

Hi support, [https://www.adaxes.com/questions/752/import-data-wizard] I am trying to do something similiar to this however in our csv file the column is called ... powershell task as you have highlighted to add the ldap value to the accountExpires attribute?

asked Feb 19 by MikeBeattie (90 points)
0 votes
1 answer
Using Criteria to Search for User's Secondary account

Hello, I am having issues using ADSI and Searcher to find and report on a user's secondary account. We used to use LDAP Filters in our scripts to essentially search if a user ... later on in the script to add the secondary admin account to a group. Thank You!

asked Feb 2 by Edogstraus00 (470 points)
3,341 questions
3,041 answers
7,764 comments
544,926 users