'maile mir den angegebenen Event wenn ein Benutzer gesperrt wird / rb / 2015
'--------------------------------------------------Settings------------------------------------------------- 
'Gibt die Maximale Anzahl der zurückgelieferten Einträge an 
'Werte für System Log 
maxwert = 1 

'gibt an wieviele Tage zurück gegangen werden soll 
zeitsp = 1 
'Email Settings 
absender = "userwatch@domain.de" 
mailserver = "meinexchange" 
empfaenger = "admin@domain.de"
EventID = 4740
'Set oArg = wscript.arguments 
'strServer = oArg(0) 
strServer = "."

'--------------------------------------------Settings End--------------------------------------------------- 
mail = "" 
Account = ""
Computer = ""
Mess = ""
ifertig = "False" 
 
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServer & "\root\cimv2") 
Set objInstances = objWMI.ExecQuery ("Select * from Win32_NTLogEvent WHERE Logfile = 'Security' and EventCode = " & EventID) 

dat = now() - zeitsp 
i = 0 

 For Each objInstance in objInstances 
        dat1 = objInstance.TimeGenerated 
        dat1 = dConvertWMItoVBSDate(dat1) 
                if i < maxwert and dat1 > dat Then 
                        With objInstance             
                		Mess = replace(.Message, ".", ".<br>")
				Mess = replace(Mess, "Account Name:", "<br>Account Name:")
				Mess = replace(Mess, "Account Domain:", "<br>Account Domain:")
				Mess = replace(Mess, "Logon ID:", "<br>Logon ID:")
				Mess = replace(Mess, "Account That Was Locked Out:", "<br>Account That Was Locked Out:")
				Mess = replace(Mess, "Security ID:", "<br>Security ID:")
				Mess = replace(Mess, "Additional Information:", "<br>Additional Information:")
				Mess = replace(Mess, "Caller Computer Name:", "<br>Caller Computer Name:")
                        	mail = mail &   "Server: " & .ComputerName & "<br>" 
                        	mail = mail &   "EventID: " & .EventCode & "<br>" 
                        	mail = mail &   "Message:" & Mess & "<br>" 
				mail = mail &   "Source: " & .SourceName & "<br>" 
                        	mail = mail &   "Datum: " & dConvertWMItoVBSDate(.TimeGenerated) & "<br>" 
				Mess2 = Split(mail,"<br>")
				Account = RTrim(Right(Mess2(10),Len(Mess2(10)) -15))
				Computer = Right(Mess2(12),Len(Mess2(12)) -22)
						
                        i = i + 1 
                        End With 
                        On Error Goto 0 
                Elseif i > maxwert Then 
                        ifertig="True" 
                        exit for 
                Elseif dat1 < dat Then 
                        ifertig="True" 
                        exit for 
                end if 
Next 
    Set objEmail = CreateObject("CDO.Message") 
        objEmail.From = absender 
        objEmail.To = empfaenger 
        objEmail.Subject = "User " & Account & " is locked from " & Computer  & " on DC " & strServer
        objEmail.HTMLbody = "<HTML><Body>" & mail & "<br>" & "</body></html>" 
        objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 
        objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = mailserver 
        objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 
        objEmail.Configuration.Fields.Update 
        objEmail.Send 

wscript.quit 
''''''''''''''''''''''
Private Function dConvertWMItoVBSDate(sDate) 

  Dim sMonth, sDay, sYear, sHour, sMinutes, sSeconds 

  sMonth = Mid(sDate,5,2) 
  sDay = Mid(sDate,7,2) 
  sYear = Mid(sDate,1,4) 
  sHour = Mid(sDate,9,2) 
  sMinutes = Mid(sDate,11,2) 
  sSeconds = Mid(sDate,13,2) 
  dConvertWMItoVBSDate = DateSerial (sYear, sMonth, sDay) + TimeSerial (sHour, sMinutes, sSeconds) 

End Function