Script that will log local "Administrator" logon and send email alert.

Ensure execution policy is set and relevant permissions to write and append file access to log file.

Amend lines 22, 26-28 with relevant mail variables.

Pre-Reqs:

1.) Add the script to be added as a file to each machine you want to audit via Group Policy (preferences/windows settings/file)

2.) Set via GPO the system parameter System/Logon (computer configuration) to run the locally added script in step 1 (Items to run at logon)

3.) Set registry via GPO (or other means) for execution policy "Unrestricted" or "Remotesigned"

 

When a user matching "Administrator" logs on the script will execute and record the date and time in a hidden txt file and also iniate an e-mail alert with the attached log.

PowerShell
Edit|Remove
# Script:    Logon_Dropper.vbs 
# Purpose:  At logon record the time, date and username of the user who has logged on to the local machine 
# Author:   Paperclips     
# Email:    pwd9000@hotmail.co.uk 
# Date:     Apr 2013 
# Comments: This script will work on any Windows OS 
# Notes:     
#            - Logon script to log local Administrator access to computer in hidden file and e-mail alert 
Start-Sleep -s 4 
 
$filename = “C:\Windows\Temp\ldrop.txt” 
$a = Get-Date 
$hostname=hostname 
#$logon = (gwmi -class win32_computersystem -property username).Username 
$logon = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name 
 
write-output "$($logon) - logged on at $($a)" | out-file C:\Windows\Temp\ldrop.txt -Append -encoding ascii 
set-itemproperty $filename -name attributes -value ([System.IO.FileAttributes]::Hidden) 
 
if (($logon -like "*Administrator*")  
{ 
$smtpServer = "192.168.2.2" 
$msg = new-object Net.Mail.MailMessage 
$att = new-object Net.Mail.Attachment($filename$smtp = new-object Net.Mail.SmtpClient($smtpServer$msg.From = “AdminLogon@contoso.com” 
$msg.To.Add("Auditor1@contoso.com"$msg.To.Add("Auditor2@contoso.com"$msg.Subject = "An ADMINISTRATOR Login has been detected - Please review attached log file from $hostname" 
$msg.Body = "Please check attached ldrop log file from $hostname  -  $a" 
$msg.Attachments.Add($att$smtp.Send($msg) 
}