Monitor locked out accounts in Active Directory with PRTG

PRTG can execute PowerShell scripts to query Active Directory for locked out accounts. This can be useful to help detect brute-force attacks and/or proactively detecting which users are experiencing issues logging in.

  1. Deploy PRTG somewhere.
  2. Get Paessler’s sample script here If you can’t be bothered, here’s the same script, signed with my code certificate. It’s timestamped, so it should remain valid/working even after my signing cert expires. Since it’s signed, you can easily open it, verify the contents before executing it.
  3. Sign it. I’d recommend you to keep the signing environment separate from your PRTG environment. Don’t put the PFX/signing key anywhere near the PRTG box.
  4. Deploy the signed script to your PRTG server to C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML.
  5. Update the ExecutionPolicy on the PRTG server. Allowing Signed scripts on the PRTG machine is probably appropriate.
    Set-ExecutionPolicy AllSigned -Scope LocalMachine
    
  6. Open PowerShell (x86) (IMPORTANT: You want x86, since PRTG is x86 as well) as the domain user that PRTG uses to run the script. Run this script. You’ll have to “Always” trust the cert you signed with.
  7. Set up the PRTG sensor. Set the Active Directory credentials on the DC/server object with the same domain user that you used in the previous step.
  8. Watch %PROGRAMDATA%\Paessler\PRTG Network Monitor\Logs (Sensors) for any output from this sensor for debugging, if you have PRTG saving the results of the runs to a file.

See also