Hi Experts,
Out from my regular Hyperion related posts, thought of sharing some knowledge over PowerShell. I started learning this tool just a week back and found it as incredible and powerful.
Background
I received a request from one of my client, who wish to track users who login to Server(s). We all knew that we can very well get these details from Event Log that can be ran by System Administrator over the month-end. So, what if we have a common user account that’s used by multiple people and trying to access Server?
I thought of enabling the same to my Hyperion server(s), that would ideally keep me posted on every login that take place using RDP / Terminal Services Connection.
Using PowerShell Script to Track Remote Computer Login(s) with Email
We have lot of resources with our friend Google, which provide variety of solutions to Track remote computer login(s) and send email alerts in a single line as “Someone just logged in to your computer”. I hope you might also have the same question, who is that someone?? Where is that someone??
Let’s get to the solution real quick.
Initial Requirements
- Admin Access to Server
- Windows 2008+ OS
- Basic knowledge on Scripting
Script
Function get-LoggedUser { param( [CmdletBinding()] [Parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [string[]]$ComputerName = $env:COMPUTERNAME ) begin { $ErrorActionPreference = 'Stop' } process { foreach ($Computer in $ComputerName) { try { quser /server:$Computer | Select-Object -Skip 1| ForEach-Object { $CurrentLine = $_.Trim() -Replace '\s+',' ' -Split '\s' if($CurrentLine[3] -eq 'Active') { $HashProps = [PSCustomObject]@{ UserName = $CurrentLine[0] Session = $CurrentLine[1] Id = $CurrentLine[2] Status = $CurrentLine[3] LogTime = $(Get-Date) } } } "User Logged with ID`t: `t"+$HashProps.UserName "User Logged Session`t: `t"+$HashProps.Session "Current User Status`t: `t"+$HashProps.Status "User Logged in Time`t: `t"+$HashProps.LogTime netstat -p TCP -f | Select-Object | ForEach-Object { $NewLine = $_.Trim() -replace '\s+',' ' -split '\s' if($NewLine[1] -like '*:3389') { $NetProps = @{ Protocol = $NewLine[0] LogicAdd = $NewLine[1] LoginMachine = $NewLine[2].Substring(0,12) Est = $NewLine[3] } } } " " "User is connected from "+$NetProps.LoginMachine +" to Server "+ $env:COMPUTERNAME +"." } catch { Error = $_.Exception.Message } } } } $SMTPServer = "mail.satyanadh.in" $environment = "Satya DEV: " $UserName = $env:USERNAME $msg = new-object Net.Mail.MailMessage $msg.From = $env:computername+"@satyanadh.in" $msg.To.Add("me@satyanadh.in") $msg.Cc.Add("hyperion@satyanadh.in") $msg.Bcc.Add("hfm.trainer@gmail.com") $msg.Subject = $environment + $UserName + " User Logged in to " + $env:computername $msg.Body = "User Logged in Details:" $msg.Body+= "`n" $msg.Body+= "`n" $msg.Body+= get-LoggedUser | Out-String $msg.Body+= "`n" $msg.Body+= "`n" $msg.Body+= "`n" $msg.Body+= "`n" $msg.Body+= "`n" $msg.Body+= "`n" $msg.Body+= "`n" $msg.Body+= "`n" $msg.Body+= "Note: This is an Auto Generated Email, please do not reply to this email id." $SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25) $SMTPClient.EnableSsl = $false $SMTPClient.Send($msg)
Save the above script to your server. In this example file name is saved as “D:\Track\Logon.ps1”
Task Scheduler – Create Task
- Launch Task Scheduler
- Click Create Task…
-
In General Tab, perform these tasks
- Provide Name and Description for the task
- Change the option as “Run whether user is logged on or not”
-
Click Change User or Group…
- Change Object Type to be Groups
- Click Advanced
- Click Find Now > Select Administrators [This will track all the Administrators who login to server, if needed for Users select Users group]
- Click OK > Click OK
-
In Triggers Tab, perform these tasks
- Click New
- Change Begin the Task to “At log on” > Select “Any User”
- Click OK
-
In Actions Tab, perform these tasks
- Click New
- Action as “Start a Program”
- In Program/Script enter “powershell.exe”
- In Add arguments (optional): enter “-ExecutionPolicy Bypass -file “D:\Track\Logon.ps1”
- In Settings Tab, change the drop down option to “Run a new instance in parallel”
Enjoy tracking your servers and stay alerted 🙂
No responses yet