Thursday 5 February 2015

Unable to send email from SBS 2008 Task Scheduler when Event Viewer Audit Failure, error 2147746321

I wanted an SBS 2008 server (which is essentially Windows Server 2008) to email me if there was a login failure recorded. So if someone types the wrong password, or more importantly, starts trying to guess a password, I'll get a notification.

The Event Viewer should let you attach a task to a particular event id, in this case Audit Failure Event ID 4625. Find one in the event viewer (using Filter Current Log > keywords > Audit Failure) then right-click and Attach Task.

Except no matter how many combinations of user/SYSTEM account, Run whether user is logged in or not, highest privileges and then messing with the from field and the smtp server (including a second receive connector on a different port), localhost vs ip vs ... it just wouldn't send an email. I couldn't even see in the Transport Roles verbose logging what was happening. The only hint was in the Task properties under history which showed error 2147746321. That didn't Google to anything that fixed the problem.

So I gave up on that plan.

And decided to attach a script instead, dead simple, ran first time. So open notepad and paste this script in

Set objMail = CreateObject("CDO.Message")
Set objConf = CreateObject("CDO.Configuration")
Set objFlds = objConf.Fields
objFlds.Item("") = 2
objFlds.Item("") = "SERVER1"
objFlds.Item("") = 25
objMail.Configuration = objConf
objMail.From = ""
objMail.To = "support@redleg"
objMail.Subject = "Security audit failure (Acme Cleaning)"
objMail.TextBody = "Please check the security log on SERVER1 at Acme Cleaning."
Set objFlds = Nothing
Set objConf = Nothing
Set objMail = Nothing
Save the file as "security-warning.vbs" into somewhere handy like c:\users\administrator and change the task action from send email to run a program, point it at that script.

Oh and you'll need to update the script with your server, from email address and to email address.

Note that the sending port is the default 25 in this example which doesn't allow internal smtp by default. You might want to create another Receive Connector in Exchange Management Console > Server Config > Hub Transport using another port, eg 25025 and allow anonymous internal email via that instead.

No comments:

Trust 1&1 Internet for your domain name registration, from only £1.99/year!. Check now!