For my Audit report, I had to create an audit list about creating,deleting,disabling,enabling,locking, unlocking my AD users.
Since we haven’t had a SCOM on our premises, I hade to come up with something that will trigger an e-mail to me with an event.
First of all you have to enable user auditing on Default GPO.
After that, I connected to my primary domain controller and created an Powershell script (with a little help from http://powershell.com/cs/) which sends an e-mail in HTML form to me, with some parameters.
First of all, it creates HTML file with a table, which then populates from Security Event under Event ID 4740. After it populates HTML file, this table sets as an body, and sends it to email addresses.
After creating this powershell script, the next step is to create an Event Trigger which will send this e-mail.
This is done through Task Scheduler.
-command "& 'C:\Admin\lockedaccount\account_locked_out.ps1' "
The final result is this:
Now, you can do this with Unlock account 4767, or Disable account 4725 or deleted 4726etc.
I found out this site with lists of Event IDs : link