This is based on Security Event ID 4724. When this is logged on the domain controller, Task Scheduler kicks this script. And send a mail to Admin and user. And also creates a local log file who reset the password.
# Created by Daag van der Meer on 12-10-2018
# Blog.van-daag.nl
# Powershell Send mail When account password reset is done To user and admin.
# Save this also in a Log file
##################
## Temp location for creating HTML email
##################
$Report= "c:\Temp\reset.html"
##################
## Log location
##################
$log= "C:\Logs\Accountreset.csv"
$HTML=@"
<title>Account locked out Report</title>
<!--mce:0-->
"@
##################
## Retrieve eventlog with all value
##################
$event = Get-EventLog -LogName Security -InstanceId 4724 -Newest 1 |
Select TimeGenerated, ReplacementStrings |
% {
New-Object PSObject -Property @{
"Account name" = $_.ReplacementStrings[0]
"Account Domain" = $_.ReplacementStrings[1]
"Reset by" = $_.ReplacementStrings[4]
Date = $_.TimeGenerated
}
}
##################
## Retrieve eventlog For filter username
##################
$userevent= Get-EventLog -LogName Security -InstanceId 4724 -Newest 1 | Select-Object @{n='UserName';e={$_.ReplacementStrings[0]}}
$user= $userevent -replace ".*=" -replace "}"
##################
## send mail to admin
##################
$event | ConvertTo-Html -Property "Account name","Account Domain","Reset By",Date -head $HTML -body "<H2> User account password is reset</H2>"|
Out-File $Report -Append
##################
## Mail config admin
##################
$MailBody= Get-Content $Report
$MailSubject= "User password reset"
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = "<MAIL SERVER>"
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = "<FROM MAILADRESS>"
$MailMessage.To.add("<MAILADRESS>")
$MailMessage.Subject = $MailSubject
$MailMessage.IsBodyHtml = 1
$MailMessage.Body = $MailBody
$SmtpClient.Send($MailMessage)
del c:\Temp\reset.html
$event | Export-Csv $log -NoTypeInformation -Append
#############################
### Send mail to user #######
#############################
$useremail = Get-ADUser $user -Properties mail | Select-Object -ExpandProperty mail
$userfirstname1 = Get-ADUser $user -Properties GivenName | Select-Object GivenName
$userfirstname = $userfirstname1 -replace ".*=" -replace "}"
$userlastsname1 = Get-ADUser $user -Properties Surname | Select-Object Surname
$userlastsname = $userlastsname1 -replace ".*=" -replace "}"
$Pic = '<ADD LOCATION FOR PICTURE IN MAIL>'
$att1 = new-object Net.Mail.Attachment($Pic)
$att1.ContentType.MediaType = “image/png”
$att1.ContentId = “Attachment”
##################
## HTML mail setup to user
##################
$userBody = @"
<html>
<body>
<span lang=NL style='font-size:10.0pt;line-height:106%;color:black'>
Dear $userfirstname $userlastsname,<br>
<br>
The password for your <b>DOMAIN\$user</b> account has been reset.<br>
If you did not request this, please inform:<br>
<br>
This is an automated email.<br>
<br>
</span>
<img src="cid:Attachment">
"@
##################
## Mail config user
##################
$userSubject = "Your password is changed"
$userMessage = New-Object system.net.mail.mailmessage
$userMessage.from = "<FROM MAILADRESS>"
$userMessage.To.add("$useremail")
$userMessage.Subject = $userSubject
$userMessage.IsBodyHtml = 1
$userMessage.Body = $userBody
$userMessage.Attachments.Add($att1)
$SmtpClient.Send($userMessage)