This is based on Security Event ID 4724. When this is logged on the domain controller, Task Scheduler kicks this script. And send a mail to Admin and user. And also creates a local log file who reset the password.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
# Created by Daag van der Meer on 12-10-2018 # Blog.van-daag.nl # Powershell Send mail When account password reset is done To user and admin. # Save this also in a Log file ################## ## Temp location for creating HTML email ################## $Report= "c:\Temp\reset.html" ################## ## Log location ################## $log= "C:\Logs\Accountreset.csv" $HTML=@" <title>Account locked out Report</title> <!--mce:0--> "@ ################## ## Retrieve eventlog with all value ################## $event = Get-EventLog -LogName Security -InstanceId 4724 -Newest 1 | Select TimeGenerated, ReplacementStrings | % { New-Object PSObject -Property @{ "Account name" = $_.ReplacementStrings[0] "Account Domain" = $_.ReplacementStrings[1] "Reset by" = $_.ReplacementStrings[4] Date = $_.TimeGenerated } } ################## ## Retrieve eventlog For filter username ################## $userevent= Get-EventLog -LogName Security -InstanceId 4724 -Newest 1 | Select-Object @{n='UserName';e={$_.ReplacementStrings[0]}} $user= $userevent -replace ".*=" -replace "}" ################## ## send mail to admin ################## $event | ConvertTo-Html -Property "Account name","Account Domain","Reset By",Date -head $HTML -body "<H2> User account password is reset</H2>"| Out-File $Report -Append ################## ## Mail config admin ################## $MailBody= Get-Content $Report $MailSubject= "User password reset" $SmtpClient = New-Object system.net.mail.smtpClient $SmtpClient.host = "<MAIL SERVER>" $MailMessage = New-Object system.net.mail.mailmessage $MailMessage.from = "<FROM MAILADRESS>" $MailMessage.To.add("<MAILADRESS>") $MailMessage.Subject = $MailSubject $MailMessage.IsBodyHtml = 1 $MailMessage.Body = $MailBody $SmtpClient.Send($MailMessage) del c:\Temp\reset.html $event | Export-Csv $log -NoTypeInformation -Append ############################# ### Send mail to user ####### ############################# $useremail = Get-ADUser $user -Properties mail | Select-Object -ExpandProperty mail $userfirstname1 = Get-ADUser $user -Properties GivenName | Select-Object GivenName $userfirstname = $userfirstname1 -replace ".*=" -replace "}" $userlastsname1 = Get-ADUser $user -Properties Surname | Select-Object Surname $userlastsname = $userlastsname1 -replace ".*=" -replace "}" $Pic = '<ADD LOCATION FOR PICTURE IN MAIL>' $att1 = new-object Net.Mail.Attachment($Pic) $att1.ContentType.MediaType = “image/png” $att1.ContentId = “Attachment” ################## ## HTML mail setup to user ################## $userBody = @" <html> <body> <span lang=NL style='font-size:10.0pt;line-height:106%;color:black'> Dear $userfirstname $userlastsname,<br> <br> The password for your <b>DOMAIN\$user</b> account has been reset.<br> If you did not request this, please inform:<br> <br> This is an automated email.<br> <br> </span> <img src="cid:Attachment"> "@ ################## ## Mail config user ################## $userSubject = "Your password is changed" $userMessage = New-Object system.net.mail.mailmessage $userMessage.from = "<FROM MAILADRESS>" $userMessage.To.add("$useremail") $userMessage.Subject = $userSubject $userMessage.IsBodyHtml = 1 $userMessage.Body = $userBody $userMessage.Attachments.Add($att1) $SmtpClient.Send($userMessage) |