Real-Time Account Lockout Monitoring with Server Manager
The other day I had a customer ask how to get notified when an account is locked out. In this article I am going to show you how to use Server Manager to send a real-time email alert when a domain user account is locked out.
Table of Contents
How to Configure the Email Server Connection
First, let's configure the connection to the email server.
- From the menu bar select Edit -> Server Manager Properties.
- Select the Email tab.
- Set your Servername. Many servers now a days are running STARTTLS on port 587. If that's the case set the Port to 587 and Security to STARTTLS, otherwise specify your server's settings.
- Specify the email address you want the service to login as along with the password.
- Under the From Information specify the name you would like to appear in the alert then copy and paste the email address you specified in the Username field above.
- Once you have set all of the values, specify an email address you would like to send a test alert to. I suggest specifying an email address outside of your email domain that way you can verify your email server is going to relay your message. Lastly, click the Test button. You should receive a success message. If you receive an error check your settings and try again.
- Click Close and save your changes.

How to Configure the Email Alert
Ok now that we have the email server setup properly, lets make sure we have an Action configured to send an email alert to our email address.
- From the Object Explorer expand Actions then Email.
-
Find the Account Lockout with Username action, right click and select Properties.
Notice the {USER} tag. When an account lockout is detected the email action replaces the tag with the name of the user account that was locked out.
- Use the Addresses drop-down to type the email address you would like to send the alert too.
- Click Close and save your changes.

How to Configure the Real-Time Account Lockout Monitoring Template
Now let's configure the account lockout template. Server Manager includes an out of the box template to send account lockout alerts.
- From the Object Explorer expand Templates then Sample Templates.
- Find the Account Lockout Monitor (Event Log) template, right click and select Template Properties. The template properties view displays.
- On the General tab notice the Execution method is set to Real-Time. Once assigned to a host, this template is going to subscribe the Security Event Log on the target server and watch for account lockout log entries.
- Next select the Logs tab. Verify the Security log is checked.
-
Next select the Monitoring tab. Notice there are two Filter/Action assignments.
The first triggers the alert while the second clears the alert but only after the system administrator manually unlocks the account.
Windows does not write an event log entry when an account is automatically unlocked.
-
Next we need to assign the domain controller to the template.
Use the Hosts drop-down to assign the domain controller.
If you have not yet added the domain controller to the software, click the Add
button then use the Add Computers, Devices and Hosts dialog to add your domain controller.
- Click Close and save your changes.
Locking out the Domain User Account
Now that everything is configured let's test the real-time account lockout monitor. First, let's open a real-time viewer to the domain controller's Security log.
- From the Object Explorer locate the domain controller and expand it.
- Find the Account Lockout Monitor template then expand it.
- Finally, right click on Security and select Watch.
Now that the real-time viewer is displayed, let's lockout the account.
- To test I am going to open an RDP session to my domain controller. In my case I have configured my domain controller to lockout accounts after 5 invalid login attempts so I need to attempt to connect 5 times with a bogus password before I receive the account locked out message from RDP.
- The sixth login attempt results in the RDP client throwing the following error:
- Immediately I see the email come through and the status on the domain controller set to warning. Looking at the real-time viewer I see 6 failed login attempts and one account locked out event log entry.
-
Finally, if I right click on the template and select Explore, I can see the current status and history of events.
Notice the RPC server errors. Earlier this morning I recorded a video on this subject before I shut down my Azure hosted domain controller. Later, when writing this article I turned the Azure hosted domain controller back on before triggering the user account lockout again.
That's real-time account lockout monitoring with Corner Bowl Server Manager.