Solved

Login E-mail notification

Posted on 2003-11-06
56
201 Views
Last Modified: 2010-04-14
One of our managers is getting paranoid that he is spending money for his field workers to have computer access, yet for some reason they are not using it.  He basically wants to have some way of knowing every single time certain users login to the domain.  (he would prefer just have an E-mail sent to him each time that happens).  I am the IT guy and am not too keen on installing software for this purpose on any of my servers.  Does anyone know of a way to do this without installing additional software (ie..policies etc).  If someone can think of a way to do this, I am open to suggestions...for right now though, I am seeing this as something that is not going to happen.
0
Comment
Question by:rustyrpage
  • 23
  • 16
  • 8
  • +1
56 Comments
 
LVL 32

Accepted Solution

by:
Luc Franken earned 125 total points
ID: 9696683
If they login using VPN, you can use a loginscript with a notification using NET SEND

You can put this line into their loginscript:

NET SEND <IP-adres of your managers computer> This computer connected to the business network

Now your manager will get a notification everytime someone logs in and have the computername at the same time (so he knows who logs in)

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9696687
btw. If they dial in directly, this also works.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9696701
sending an email everytime someone logs in is not possible. what you can do is to enable the login success audit policy enabled in your GPO and then email the audit log file emailed to your manager. You can do this by scheduling a task may be once a day. for sending the email u need to have the IIS running on ur machine though.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9696726
Both of those may work, but not for my situation:

1) LucF - That is a good idea, but I have over 200 computer users, I cannot specify particular login scripts for the 2 or 3 users that he wants to track
2) There is no way that I am going to give my audit file to one of twenty managers.  That would not be feesible as it would cause plenty of upset people
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9696765
hmm..i dont blame ya rusty, yeah you are right, that can have a lot of upset people.

how about, creating a group in ur AD and moving the 3 - 4 users whom u want to track and give the group same right and permissions as the group they are in right now and then enable auditing for that group? and then give ur manager the audit file since he asked for it? do you think it is gonna cause other people to get upset?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9696773
No, but as is I have so many OU's that they are turning into UOU's..(unorganization units).  I would prefer not to have to do something to that measure, but may keep that in mind.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9696777
If it's only 2 or 3 users, it can't be a big problem to just make a loginscript for them, also, you can always make a different loginscript for the local users, and give the external users a loginscript of their own.

LucF
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9696788
They are all internal users.  They all login to the domain.  The problem is that with so many users it is not very feasible to give individual login scripts.  I have 4 logins scripts, one per branch.  As for the local login scripts, the problem is they login at whatever computer is open, so I can't put it on just one computer.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9696827
rusty:

lol .. i think u r hell bent that u r not gonna accomodate that manager's request.. pal, tell u what.. i hav been in ur situation before and i know how u feel.. u wanna help that manager guy but it is gonna cause a lot of nuisance to u.. i dont hav ne other ideas than what i suggested earlier.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9696830
>his field workers
I assume they log in using a different network card of the server, wich also gives different IP adresses using DHCP.
So I think the "They are all internal users." doesn't count here.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9696845
What do you mean?  An internal user to me would be one who is on the same IP subnet as the servers etc.  All of our branches are connected & work as a wide area network.  

It's not that I am bent on not helping him, I just don't want it to have an effect on anyone else...and I cannot have 3 or 4 exceptions.  That is why I was looking for a policy I could apply to all people in the "operations" group.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9696887
not possible pal.. u cannot apply the policy to the entire group if you want to trace just 2 or 3 of them. only way is to create another group and hav a different policy... i know it is gonna create UOU for u.. but seems to be the only way..

LucF, I think rusty is taking about a single subnet.. so they r all internal users.. VPN and dialing in doesnt come into picture here.. that just my 2 cents worth
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9696898
No, I am find applying it to all of the people in the operations group.  (not OU, but group)

Yeah, we are all on a signal subnet:

192.168.1.x - Branch 1
192.168.2.x - Branch 2
etc
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9696929
so what's the problem.. apply the policy to the group.. u dont hav to create a new OU, create a new group.. and a new policy and apply it to th group. here is a link describing that.. i'm sure u hav done this before.. just for ur reference though

http://www.serverwatch.com/tutorials/article.php/1497881
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9696931
Can't you have the external people on a differend subnet. Just create an extra scope...
Or put those people in a different group...

If you can't, then you're really out of luck on this one...
... It can't be done.

LucF
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9696947
What??  There are no external people.  

I have four branches.  Branch 1 is the 192.168.1.x branch, it has all of the servers, DCs etc.  Branch 3 is the one with these problem children...they login authenticating to our DCs, accessing our servers etc.
0
 
LVL 2

Expert Comment

by:superfir
ID: 9697930
If you are running login scripts for these individuals it is safe to assume that you are also mapping drives for the individuals?  Would it be feasible to add several lines to the script to append to an auditing text file without causing distress amonst the employees?

Say for instance if you are running a batch login script you could add a couple of lines for the individuals in question(I do not have access to a Win9X system to test with but there are other alternatives if this command will not work for them):

IF %USERNAME%==johnsmith ECHO %USERNAME% %DATE% %TIME% >> X:\Folder\AUDIT.LOG

Restrict access to the folder to just the individuals in question and the manager that is inquiring about their logins.

Depending on the email software you are using it is possible that you could code a WSH script to send an email either via the login scripts from the clients systems to send out as soon as they have logged in, or if you are versed in ADSI you could go as far as to setup a script that runs once an hour to check to see if they have logged in and then send out an email either from your system or the server.  It would not be as accurate as if you were to turn auditing on, but it will give a general idea to the manager.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9703287
But I have only 4 login scripts:
1) Branch 1
2) Branch 2
3) Branch 3
4) Branch 4

I guess it isn't going to be something feasible.  Sorry about that..I am going to leave the question open for a bit in case someone else has a great idea that might help me out with my strict guidelines.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9703402
> Branch 3 is the one with these problem children...
than, why don't you split up this branch??? How hard can it be?? Can you please explain what the problem is with this??

As you said in your question "for his field workers to have computer access"
So I assume these are laptops or at least computer not used internally.
Why don't you place it in the Startupfolder so it'll be ran everytime the computer starts? If they make connection to your network, the manager will get a message, if they don't your manager won't get the message.

LucF
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9703415
What do you mean split up this branch?  It is a branch with about 50 users...I can't very well split it up.

I thought I had explained before that they are internal users/computers.

It isn't for just one computer, it is to be used for every computer in that office...because they jump from one to another.

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9703508
You, completely lost me there, I've no idea what the problem is.
>It is a branch with about 50 users...I can't very well split it up.
Why not
Branch3.1 (47 users) => this loginscript
Branch3.2 (the troubling 3 users) => another loginscript.

And what about the "field workers"??? What kind of connection do they use to login to the network??? What kind of computers do they use??? Are it always the same computers that go on "field work"???

Please explain, I'm trying to help, but this way, I haven't got a clue on what you have or what you want.

LucF
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9703568
But what I was saying is that I do not want to make an exception, or a seperate net just for 3 users.

The field workers walk into the building & connect to a workstation in the building, they pick a random one that doesn't have anyone using it.

If a solution includes adding another subnet, OU, personal login script or anything like that, thanks for the suggestion, but it isn't going to happen because of the need for organization & continuity.
0
 
LVL 2

Expert Comment

by:superfir
ID: 9703771
I'm not sure I understand from your perspective why modifying the main login script for 'Branch 3' to create an audit log for 3 users is not a feasible option.  Is there any particular reason why you can not add a few lines to the login script to produce the log for you or is it against company policy altogether to make the modification?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9703796
Not against company policy, but against practical policy.  I cannot start making little changes on the whim of a particular managers needs...because soon enough I have thirty different login scripts or variants...hundreds of OU's, and a complete mess.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9703812
pal, just create a group in the OU and apply the GPO.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Author Comment

by:rustyrpage
ID: 9703835
Can I decide what the answer would be?

Without understanding the company situation & the way it HAS to be organized, please do not tell me what the answer will be.

I guess there is no way to answer this question, I will close it out.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9703875
calm down.. we are just trying to help you out.. anyways good luck with your problem. Hope you will solve it more efficiently that suggested by us.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9703897
I am plenty calm...I just think it is very presumptious of you to assume that your answer is going to be perfect for me.  It may be a right answer, but it is not the right answer.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9704141
I have objections!!

We gave working suggestions to solve this problem,
rustyrpage wants solutions, but he doesn't want to change anything. If he's not happy with the answer, I can accept that.
But I spent a lot of time trying to help him, and gave him workable solutions.

quote:
>I cannot start making little changes on the whim of a particular managers needs...because soon enough I have thirty different login scripts or variants...hundreds of OU's, and a complete mess.

That's his problem, but it will really solve his problem and help out his managers. It's a workable solution I provided, rustyrpage just has to explain to his managers that changing things like this doesn't make his life easier, so it's a one time change....

LucF
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704160
It's not for making my life easier...it is for making the individual branch IT people that come in easier...it is for making organization rather than chaos.

The solution I asked would be one that could be applied to that individual person...but I cannot create new OU's or login scripts.  I am aiming for a way to make some sort of change in AD or something that will create a log file or notify me when something changes.

In Novell I used to be able to know when the last time someone logged in was, now I don't even have that capability, that I am aware of.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9704172
Thanks LucF..

I have objections too..

Both mine as well as LucF solutions would work if "rustyrpage" is ready to change something in his setup. If the whole idea is not to change anything, then there is no point in asking the question. Further in addition to that, I didn't like rusty's posting in the community support saying "no one knows answer to this question"... that's not fair. we provided him the answers, but he doesn't want to agree.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704228
But the fact of the matter is that is not a solution to my question.  It would work...yes....but not for what I need.  

Like I said before, you have some answers, but it is not the answer.

What you have to realize, and since you seem to be so upset about it, I will go into some of the politics:

Our system administrator setup the system in a manner that anyone could come in & understand what OU is for what & have it workable.  As someone who works under him, although I have the ability to make the changes, he would flip out if I started to add OU's here and there, just so that I can do various things that he used to be able to do in Novell without any changes. Now, I know how to create OU's...but even more I could obviously just create a 5th login script & assign it to those users...but the thing is that that is a messy approach.  In a corporation as big as ours, if you make a change like that to one user, it begins to cause problems in the long run.  Say next year we decide to map something new to the Z: drive.. I change my four login scripts, and then all of a sudden those three guys don't work....you just have to understand that in a company where there are 200+ computer users over 4 main branches & 10 remote offices, you can't go making exception rules.

Now I wouldn't have a problem making changes to a certain user object, simply because it doesn't matter in the long run...but I am getting the impression that that cannot be done...and as such, I would like retract this question because it will not be suitable for my particular event.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9704285
We gave you workable solutions rustyrpage, you don't like 'm, your problem, but they do work.

> It's not for making my life easier...it is for making the individual branch IT people that come in easier...it is for making organization rather than chaos.
You've probably never heard of ITIL, but if you document these kind of changes, it won't be a chaos!!

AnnieMod, please do something about this....
I don't know what I can do to let rustyrpage understand us.

adonis1976,
ThanQ for agreeing with me.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704304
I have no problem giving you the points...but the fact is that you didn't answer the question!  "I don't know what I can do let LucF understand this".  You could tell me all of that all day long, but I am not an idiot, I already knew how to do all of that, and if I felt that was a viable answer, I would have just done it!
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704394
LucF & adonis1976 - Please realize that I am only accepting points because I am tired of receiving notification E-mails...and it is starting to upset me that you insist on your answer being right.  I am not denoting the fact that your answer may be workable...however, it is not going to work in a corporation.  I appreciate your efforts, and that's another reason I gave you the points because I do not want you to feel that you worked hard on getting me solutions.

Thank you.

adonis1976 - You will find more points in another post for you
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704401
Are you kidding me???  C would be average, yes...I feel their responses were average...B would be sufficient for my needs.  The only reason I gave the points is because they did work for it & I was getting annoyed with the E-mails.  I am at the same point I was at before I started this whole thing.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9704448
Anniemod, I think this question should get at least a "B" grade, and also some points for adonis1976, do you agree if I post a "points for adonis1976" question, as I don't expect one from rustyrpage.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704457
LucF...there is already a points for adonis1976...and no, it doesn't deserve a B
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9704532
rustyrpage, I'm not trying to annoy you, I tried to help you, I gave a workable solution. Can you explain me why this isn't worth a "B" grade?

Is is because you don't like it?? If so, read this:
1) Even a "no, you can't do that" is a valid answer.
2) The solutions we gave you will work.
3) We put a lot of effort trying to help you and you should really contact your managers about this.

adonis1976, your point for question can be found at http:Q_20791449.html and if you don't get at least a "B" grade I will contact the administrators of EE (I hope AnnieMod will help me on this one) so you will get it. (no offence to anyone)

LucF
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704557
I do take offense to it...in school, C stood for average answer...in my opinion your answer was average...it didn't help me, but it didn't make me dumber.  It was nothing that I couldn't have done on my own..I learned nothing new.  

No, you can't do this is an answer I never received...all I received was "the answer is this".  The point is that, that solution didn't work for me. Have you ever been in an IT department for a company this large?
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9704585
> Have you ever been in an IT department for a company this large?
Yes I have! And still am. 450 users at this moment at 5 different locations all connected trough VPN, working at 58 different locations trough out the country.

Take a look at: http://www.experts-exchange.com/help.jsp#hi73
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9704589
sorry Lunchy, your comment wasn't there when I submitted.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704592
Thank you for supporting my C: grade:

If you have given the Expert(s) ample time to respond to your clarification posts and you have responded to each of their posts providing requested information; or if the answers, after clarification, lack finality or do not completely address the issue presented, then a "C" grade is an option.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9704603
Lunchy, AnnieMod, help! please...
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704624
A: - Definetely not
B: "B: The Expert(s) provided an acceptable solution, or a link to an acceptable solution, that you were able to use, although you may have needed a bit more information to complete the task. "  
         I do not feel that you provided a solution that I was able to use.
C:  "If you have given the Expert(s) ample time to respond to your clarification posts and you have responded to each of their posts providing requested information; or if the answers, after clarification, lack finality or do not completely address the issue presented, then a "C" grade is an option. "  I do feel that your answer lacked finality

Sorry Lunchy...I don't want to argue...I also don't want LucF to have hard feelings, but I just don't feel that a B is justifiable.  If it is really going to have that much an effect on his day, then please change it...but his answer lacks finality & as such, I felt it deserved a C...I read each grading scale fully, and still feel justified in my response.

LucF...I will no longer post questions in Experts Exchange because of the lack of friendliness & understanding of an individuals siutation.  I will however continue to answer questions as I feel that I have been able to help people in the past with problems & do have valuable information (much like you do most of the time) to add to people's questions
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9704665
I don't mean to offend you, but I think you're overreacting...

>I also don't want LucF to have hard feelings,
I don't have any hard feelings... try to understand that, I'm just dissapointed...

>because of the lack of friendliness
I have provided possibilities troughout this whole question, never ment to offend anyone.

I'm not at EE for the point, but I like to be apreciated for what I try to do to help people, including you, solve their problems.

I will do my best to help you on your other questions, it's just this one where I don't agree with you.

Hope you understand my point.

LucF
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704778
You know what...I have gotten more E-mails from this one question today than my whole help desk organization...so, give him the B...I am sick of this.  The question was never how can I add people to an OU...I am well aware of the ability to add users to an OU & apply login scripts to them.  I asked, in my initial question how to apply policies...I said nothing about login scripts.  I saw no solution that included policies....only login scripts
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 9704801
I don't want the grade to be a slight on LucF...change it to a B & let's get it over with
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9704818
ThanQ, rustyrpage, Lunchy and AnnieMod
0
 
LVL 2

Expert Comment

by:superfir
ID: 9705061
Just trying to be helpful here, not flood you with more comments rusty, just wanted to post and let you know that, to at least a certain extent, some of what you are asking for can be done, it just depends on what your resources are to make it happen.  Using ADSI, as previously mentioned in my first comment, you can pull 'last login' information from from user objects in Active Directory, as well as a multitude of other bits of information as listed at this link:  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/iadsuser.asp

Since reworking login scripts and loading software is not an option for you, perhaps you could write a script that can be run daily on your system that would poll this information and could then be emailed to the manager?  I know from personal experience that you can also automate Outlook to create the email for you automatically, and it is possible that other mail clients also support the same type of automation.

Here is an example of an ADSI script:  http://support.microsoft.com/default.aspx?scid=kb;EN-US;277717

If this sounds as if it might be a feasible option for your environment and would like more details I would be more than happy to follow up.  I am not concerned about points, just trying to be helpful and please do not misconstrue my prior message as being overbearing, I was just trying to reach some clarity as to your situation and why some options were not available.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Recreate New ADC 1 271
HeapQueryInformation could not be located 1 871
Windows WEb Server sp2 13 514
Closing cmd window after script execution 4 213
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now