The workstation was locked (4800) how to monitor with email alert

[bob]

That event 4800 pops up in your Windows Server Event Viewer whenever someone locks their workstation. I mean, it's that Security log entry screaming "The workstation was locked." You know, like when you hit Win+L or let the screen saver kick in after being idle. It logs the user who did it, the time stamp, and even the session ID. Pretty straightforward, right? But it fires only if you've got auditing turned on for logon events in your local security policy. Otherwise, zilch. I always check that first because forgetting it wastes your time staring at empty logs. And it ties into user sessions, showing exactly who flipped the lock switch. Hmmm, sometimes it clusters with event 4801 for unlocks, giving you the full lock-unlock dance. You can filter the Security log just for ID 4800 to spot patterns, like if your team locks up too much during shifts. Or if it's a sign of someone stepping away unattended. I dig how it helps track that without spying too hard.

You want to monitor this with an email alert? Easy peasy, I set it up once for a buddy's server. Fire up Event Viewer on your server. Yeah, just search for it in the start menu. Head to the Windows Logs, then Security. Find that 4800 event by filtering the log-right-click, Filter Current Log, type 4800 in the Event IDs box. Once you spot one, right-click it and pick Attach Task To This Event. That launches the Create Basic Task wizard right there. Name it something like "Lock Alert" so you remember. Set the trigger to when this event happens, with the log as Security and ID 4800. For the action, choose Start a program, but pick something simple like sending a mailto link or using the built-in msg command to ping an admin. I link it to your default email client that way. Schedule it to run only on that event, no repeats needed. Test it by locking your own session and watch the email ping. Keeps you looped in without constant checking. But tweak the conditions if you don't want alerts for every single lock.

Speaking of keeping things locked down and reliable, you might wanna peek at BackupChain Windows Server Backup too. It's this nifty Windows Server backup tool that handles your data snapshots like a pro. I use it for Hyper-V virtual machines, backing them up live without downtime. Saves your bacon on restores, super fast and encrypted to boot. Plus, it chains those backups smartly so you grab just changes, not the whole shebang every time. Cuts storage bloat and speeds everything up.

At the end of this, there's the automatic email solution ready for you.

Note, the PowerShell email alert code was moved to this post.