This is based on Security Event ID\u00a04724. When this is logged on the domain controller, Task Scheduler kicks this script. And send a mail to Admin and user. And also creates a local log file who reset the password.<\/p>\n
# Created by Daag van der Meer on 12-10-2018\r\n# Blog.van-daag.nl\r\n# Powershell Send mail When account password reset is done To user and admin.\r\n# Save this also in a Log file\r\n \r\n##################\r\n## Temp location for creating HTML email\r\n##################\r\n$Report= \"c:\\Temp\\reset.html\" \r\n\r\n##################\r\n## Log location\r\n##################\r\n$log= \"C:\\Logs\\Accountreset.csv\"\r\n \r\n$HTML=@\" \r\n<title>Account locked out Report<\/title> \r\n<!--mce:0--> \r\n\"@ \r\n\r\n##################\r\n## Retrieve eventlog with all value\r\n##################\r\n\r\n$event = Get-EventLog -LogName Security -InstanceId 4724 -Newest 1 |\r\n Select TimeGenerated, ReplacementStrings |\r\n % { \r\n New-Object PSObject -Property @{ \r\n \"Account name\" = $_.ReplacementStrings[0] \r\n \"Account Domain\" = $_.ReplacementStrings[1] \r\n \"Reset by\" = $_.ReplacementStrings[4] \r\n Date = $_.TimeGenerated \r\n } \r\n } \r\n\r\n##################\r\n## Retrieve eventlog For filter username\r\n##################\r\n\r\n$userevent= Get-EventLog -LogName Security -InstanceId 4724 -Newest 1 | Select-Object @{n='UserName';e={$_.ReplacementStrings[0]}}\r\n$user= $userevent -replace \".*=\" -replace \"}\"\r\n\r\n##################\r\n## send mail to admin\r\n##################\r\n\r\n\r\n$event | ConvertTo-Html -Property \"Account name\",\"Account Domain\",\"Reset By\",Date -head $HTML -body \"<H2> User account password is reset<\/H2>\"| \r\n Out-File $Report -Append \r\n\r\n##################\r\n## Mail config admin\r\n##################\r\n\r\n$MailBody= Get-Content $Report \r\n$MailSubject= \"User password reset\" \r\n$SmtpClient = New-Object system.net.mail.smtpClient \r\n$SmtpClient.host = \"<MAIL SERVER>\" \r\n$MailMessage = New-Object system.net.mail.mailmessage \r\n$MailMessage.from = \"<FROM MAILADRESS>\" \r\n$MailMessage.To.add(\"<MAILADRESS>\") \r\n$MailMessage.Subject = $MailSubject \r\n$MailMessage.IsBodyHtml = 1 \r\n$MailMessage.Body = $MailBody \r\n$SmtpClient.Send($MailMessage) \r\n\r\ndel c:\\Temp\\reset.html\r\n$event | Export-Csv $log -NoTypeInformation -Append\r\n\r\n\r\n#############################\r\n### Send mail to user #######\r\n#############################\r\n\r\n$useremail = Get-ADUser $user -Properties mail | Select-Object -ExpandProperty mail\r\n$userfirstname1 = Get-ADUser $user -Properties GivenName | Select-Object GivenName\r\n$userfirstname = $userfirstname1 -replace \".*=\" -replace \"}\"\r\n$userlastsname1 = Get-ADUser $user -Properties Surname | Select-Object Surname\r\n$userlastsname = $userlastsname1 -replace \".*=\" -replace \"}\"\r\n\r\n$Pic = '<ADD LOCATION FOR PICTURE IN MAIL>'\r\n\r\n$att1 = new-object Net.Mail.Attachment($Pic)\r\n$att1.ContentType.MediaType = \u201cimage\/png\u201d\r\n$att1.ContentId = \u201cAttachment\u201d\r\n\r\n##################\r\n## HTML mail setup to user\r\n##################\r\n\r\n$userBody = @\"\r\n<html>\r\n <body>\r\n <span lang=NL style='font-size:10.0pt;line-height:106%;color:black'>\r\nDear $userfirstname $userlastsname,<br>\r\n<br>\r\nThe password for your <b>DOMAIN\\$user<\/b> account has been reset.<br>\r\nIf you did not request this, please inform:<br>\r\n<br>\r\nThis is an automated email.<br>\r\n<br>\r\n<\/span>\r\n<img src=\"cid:Attachment\">\r\n\"@\r\n\r\n##################\r\n## Mail config user\r\n##################\r\n\r\n$userSubject = \"Your password is changed\"\r\n$userMessage = New-Object system.net.mail.mailmessage \r\n$userMessage.from = \"<FROM MAILADRESS>\"\r\n$userMessage.To.add(\"$useremail\") \r\n$userMessage.Subject = $userSubject \r\n$userMessage.IsBodyHtml = 1\r\n$userMessage.Body = $userBody \r\n\r\n\r\n$userMessage.Attachments.Add($att1)\r\n\r\n\r\n$SmtpClient.Send($userMessage)<\/pre>\n <\/p>\n","protected":false},"excerpt":{"rendered":"
This is based on Security Event ID\u00a04724. When this is logged on the domain controller, Task Scheduler kicks this script. And send a mail to Admin and user. And also creates a local log file who reset the password. # Created by Daag van der Meer on 12-10-2018 # Blog.van-daag.nl # Powershell Send mail When […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[34,11,1],"tags":[],"class_list":["post-334","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-powershell-script","category-uncategorized"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/van-daag.nl\/index.php?rest_route=\/wp\/v2\/posts\/334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/van-daag.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/van-daag.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/van-daag.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/van-daag.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=334"}],"version-history":[{"count":2,"href":"https:\/\/van-daag.nl\/index.php?rest_route=\/wp\/v2\/posts\/334\/revisions"}],"predecessor-version":[{"id":336,"href":"https:\/\/van-daag.nl\/index.php?rest_route=\/wp\/v2\/posts\/334\/revisions\/336"}],"wp:attachment":[{"href":"https:\/\/van-daag.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/van-daag.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/van-daag.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}