In Windows 2008 you have the cool feature of being able to create a task in the task scheduler from and event in the event viewer. In it's simplest form you right-click the event and choose the option of making a task. This can then be configured to run a program everytime that event occurs or, thanks to the embedded Powershell cmdlets, send an email. Things to watch out for are that your email administrator will allow SMTP Port 25 from the server you are configuring and that the task will be able to run when no user is logged into the server. I suggest a service account and that account must have 'log in as batch file' rights.
There is a special case that I had to deal with that involved trapping an account lockout. The problem is that Microsoft use the same source and event ID (4625) for a range of events including account lockout and an attempt to use a bad password. Here's the solution:
If you don't have an existing event in the log, make one happen. Right click the event and make a basic task, set it up with the correct user account and all that stuff. Now, in the Task Scheduler you will find a new folder under 'Task Scheduler Library' called 'Event Viewer Tasks'. Open it up and edit the trigger. The 'Begin Task' drop down will say 'On an Event' but change the Radio Button from 'Basic' to 'Custom'. There you will find the options you need to identify what kind of event 4625 you want to trap.
Cheers!
No comments:
Post a Comment