Who’s there? Sauron’s all-seeing Script or “The Logon Alert”


Today I want to introduce you to another favorite script of mine. With this script I can be sure to instantly get informed when someone is connecting with Remote Desktop to an Server. In some cases this will help you figure out which users and of course from which network they connect to your servers. Maybe you want this to get control of the Remote Connections without spending money into Monitoring Solutions or time into fighting with your Windows Event Logs.

In any case, in the past I often had the experience that my Customers or other IT Administrators connect to Servers without any usage of that. Maybe they just want to configure Services or something like that and they just don’t know about other solutions to do so. With this Script you can figure out multiple things and have a nice overlook of your Environment.

And as always, this should be done with the least possible effort.

First of all – creating the Script

Ok, first we need to create the script we will deploy to all servers and put it into our Netlogon on our Domain Controllers to publish this globally.

So I created the “LogonAlert.ps1” in the Netlogon. You can place this everywhere you want as long as you can access it from anywhere in your environment to publish this to all server.

Whats in the Script now?

As a good Powershell Designer you will start with the Script Description like that

#Publisher: Tom's IT Blog
#Last Change: DateOfLastChange
#Description: Send a Mail Notification on Remote Desktop Connections of Users to xxx@maildomain.com


We will start with with the following lines

$FromAddress = "LogonAlert@Toms-IT-Blog.com"
$ToAddress = "LogonAdmins@Toms-IT-Blog.com"
$SMTPAddress = "Mailserver.domain.com"
$Computer = $env:Computername
$UserDetails = @()

And now we add some styles into our Mail

$a = ""</p>
$a = $a + "TABLE{border-width: 1px;border-style: solid;border-color:black;}"
$a = $a + "Table{background-color:#ffffff;border-collapse: collapse;}"
$a = $a + "TH{border-width:1px;padding:0px;border-style:solid;border-color:black;}"
$a = $a + "TR{border-width:1px;padding-left:5px;border-style:solid;border-color:black;}"
$a = $a + "TD{border-width:1px;padding-left:5px;border-style:solid;border-color:black;}"
$a = $a + ""

And now the Main Part of our Script

$LogOnEvents = Get-WinEvent -filterHashtable @{LogName='Security'; Id=4624; Level=0} | Where-Object{ $_.Properties[8].Value -eq 10} | select -First 1
$HashProps = @{
UserName = $LogOnEvents.Properties[5].value
ClientIP = $LogOnEvents.Properties[18].value
LogonTime = $LogOnEvents.TimeCreated
$USERDetails = New-Object -TypeName PSCustomObject -Property $HashProps |
Select-Object -Property UserName,ClientIP,LogonTime
$User = $USERDetails | Select -ExpandProperty UserName

Finally the Send Mail Code Lines

$messageParameters = @{
Subject = "$User LoggedIn to $Computer "
Body = ( $USERDetails | ConvertTo-Html -Head $a |
Out-String -Width ([int]::MaxValue))
From = $FromAddress
To = $ToAddress
SmtpServer = $SMTPAddress
Send-MailMessage @messageParameters -BodyAsHtml

And all looks like this

The Second Shot – Deploying the Script with Group Policy Task and File Deployment

Ok, now we created the script. Now we need to deploy it to every Server. In my case I use Group Policy for such things since they are pretty fast and simple for such cases.

So you need to connect to your Group Policy Management Editor Console (directly on a Domain Controller or just with your Tools you are normally editing Group Policies).

In my case I use structured Group Policy Names and collect same Group Policies in I call it “Function Policies” where I just collect all Settings and Deploy it directly over Group Policy Preferences (I will talk about this Topic in another Blog Post in Future).

So it looks like this:

In my productive Environment I often need enforced Group Policies when I want to deploy Policies to every kind of object because of many layers of Organizational Units with blocked Group Policy Inheritance. But I would recommend to everyone not to “play” this like I do. 

I configured the Group Policy with default Settings, but, if you really want to, you can choose other Security Filtering or WMI Filtering.

Now to the fine configuration of the Group Policy Object.

First: Folder Deployment

Open your Group Policy and navigate to “Computer Configuration” – “Preferences” – “Windows Settings” – “Folders”

Now create a new Folder with Right-Click – “New” – “Folder”.

Fill it out like this

Now create another Folder and enter the information like:

And now you ask “Why Hidden? Why pushing out this Deployment to every computer?”. This is just in my case. I publish a few more Scripts to Clients and Server and I do not allow Client Computers to see hidden files. So this was the “easy way” to realize it. You can just change the Item Level Targeting under “Common” if you want to publish this folder more restricted to just Server or what you prefer.

Second: File Deployment

Now move to “Files” and create a new File with Right-Click – “New” – “File”

Fill out the information like:

And now move to “Common” – “Item-level targeting” and click on “Targeting…”

Specify the information you wish to filter the script deployment. In my case it is:

Third: Scheduled Task Deployment

As last step in the Group Policy Task Deployment is to deploy the Scheduled Task itself.

Move to “Computer Configuration” – “Preferences” – “Control Panel Settings” – “Scheduled Tasks”

Create a new Scheduled Task (At least Windows 7) and fill it with the following information:

General Tab

Triggers Tab

Actions Tab

Conditions Tab

Settings Tab

Common Tab

And now you are good to go. Now you can move to Part three, which is basically just testing.

All good things come in threes – Release the Storm

At this point you can do it like you wish. Connect to a Server, do a gpupdate /force and reboot it to see if you are receiving Mails regarding the Server Reboot.

The Mail should look like this

Finishing Words

Thank you for reading this. If you already checked out my other Posts you will see that the Wording and Design of my Posts are always in the same style. If I already explained some parts of my Posts in another Post, I will Copy-Paste most of the already explained things instead of creating an huge amount of Linkings between my Pages to ensure if you never red any other Postings you will find everything you need on the Page you are reading.

If you wish to see more of them or if you want to see specific content just let me know in the comment section below. If you have any problems with the task above just let me know and I will explain it a bit better.

I hope I was able to help some IT Guys out there with my post.

If you like this post please support me and share this to other Administrators.

Leave a Reply

Your email address will not be published. Required fields are marked *