我想通过电子邮件发送SysAdmin事件ID 4625(帐户锁定)。
当前代码:
$AccountLockOutEvent = Get-EventLog -LogName "Security" -InstanceID 4625 -Newest 1
$LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
$AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated
$AccountLockOutEventMessage = $AccountLockOutEvent.Message
$messageParameters = @{
Subject = "Account Locked Out: $LockedAccount"
Body = "Account $LockedAccount was locked out on $AccountLockOutEventTime..`n`nEvent
Details:`n`n$AccountLockOutEventMessage"
From = ""
To = ""
SmtpServer = ""
}
Send-MailMessage @messageParameters
Powershell专家问题
1-如何捕获锁定的确切原因,而不是%% 2313和其他信息(例如samaccountname)。而是在主题行中使用帐户锁定为s-1-0-0,我想在此查看帐户名称。2-是否可以获取ADuser信息,以便我们可以同时向用户发送电子邮件,告知他们的帐户已被锁定以联系SysAdmin来解锁该帐户?
您可以使用此代码段获取包含所需字段的输出。SubjectUserName和SubjectDomainName。
$events = Get-WinEvent -FilterHashtable @{logname='Security'; ID=4625; } -MaxEvents 1
$event = $events
[xml]$eventXML = [xml]$Event.ToXml()
$eventXML.Event.EventData.Data
输出将如下所示。
Name #text ---- -----
SubjectUserSid S-0-0-00-0000000000-0000000000-0000000000-0000
SubjectUserName MyUsername
SubjectDomainName MyHostname
SubjectLogonId 0x00000000
PrivilegeList SeSecurityPrivilege