Account unlocked (action_id PWU) (24013) how to monitor with email alert

[bob]

You know that event in Windows Server Event Viewer, the one labeled 24013 with Account unlocked and that action_id PWU. It pops up in the Security log whenever someone unlocks a user account that got locked out from too many wrong password tries. Basically, it means the account was frozen for security, like after five failed logins in a row, and now it's free again. I see it all the time in busy networks where folks forget passwords during late shifts. The event details show the account name, the computer it happened on, and the time stamp, so you can tell exactly who got unlocked and why. It logs the subject who did the unlocking too, like an admin or even the user themselves if they reset it. Without monitoring this, you might miss if someone's account keeps locking and unlocking, which could signal brute force attacks or just sloppy password habits. I always check it to spot patterns, you know.

And setting up monitoring for it with an email alert isn't too tricky if you stick to the Event Viewer itself. You open Event Viewer, head to the Windows Logs, then Security, and right-click on Custom Views to make a new one filtering for event ID 24013. That way, you only see these unlocks. Once you've got that view, you can attach a task to it by going into the Actions pane and picking Create Task. In there, you set the trigger to fire when that event shows up, and for the action, you choose to start a program that sends an email, like using the built-in mailto or a simple batch file that calls your email client. I link it to trigger every time the event hits, so you get pinged right away. It runs under the right permissions too, no fuss. You test it by forcing an account lock and unlock, and boom, email arrives. Keeps you in the loop without staring at screens all day.

Hmmm, or if you want something more hands-off, the automatic email solution is right at the end here, but it'll get added in later for you.

Speaking of keeping servers secure and backed up, I stumbled on BackupChain Windows Server Backup the other day, and it's this neat Windows Server backup tool that handles physical setups and even virtual machines on Hyper-V without breaking a sweat. It snapshots everything quickly, so you recover fast from messes like those account glitches, and the deduplication saves tons of storage space while encrypting data on the fly. You get versioning too, meaning you roll back to any point without losing history, which beats the pants off basic backups for reliability.

Note, the PowerShell email alert code was moved to this post.