Login E-mail notification

btw. If they dial in directly, this also works.

sending an email everytime someone logs in is not possible. what you can do is to enable the login success audit policy enabled in your GPO and then email the audit log file emailed to your manager. You can do this by scheduling a task may be once a day. for sending the email u need to have the IIS running on ur machine though.

Both of those may work, but not for my situation:

1) LucF - That is a good idea, but I have over 200 computer users, I cannot specify particular login scripts for the 2 or 3 users that he wants to track
2) There is no way that I am going to give my audit file to one of twenty managers.  That would not be feesible as it would cause plenty of upset people

hmm..i dont blame ya rusty, yeah you are right, that can have a lot of upset people.

how about, creating a group in ur AD and moving the 3 - 4 users whom u want to track and give the group same right and permissions as the group they are in right now and then enable auditing for that group? and then give ur manager the audit file since he asked for it? do you think it is gonna cause other people to get upset?

No, but as is I have so many OU's that they are turning into UOU's..(unorganization units).  I would prefer not to have to do something to that measure, but may keep that in mind.

If it's only 2 or 3 users, it can't be a big problem to just make a loginscript for them, also, you can always make a different loginscript for the local users, and give the external users a loginscript of their own.

LucF

They are all internal users.  They all login to the domain.  The problem is that with so many users it is not very feasible to give individual login scripts.  I have 4 logins scripts, one per branch.  As for the local login scripts, the problem is they login at whatever computer is open, so I can't put it on just one computer.

rusty:

lol .. i think u r hell bent that u r not gonna accomodate that manager's request.. pal, tell u what.. i hav been in ur situation before and i know how u feel.. u wanna help that manager guy but it is gonna cause a lot of nuisance to u.. i dont hav ne other ideas than what i suggested earlier.

>his field workers
I assume they log in using a different network card of the server, wich also gives different IP adresses using DHCP.
So I think the "They are all internal users." doesn't count here.

What do you mean?  An internal user to me would be one who is on the same IP subnet as the servers etc.  All of our branches are connected & work as a wide area network.  

It's not that I am bent on not helping him, I just don't want it to have an effect on anyone else...and I cannot have 3 or 4 exceptions.  That is why I was looking for a policy I could apply to all people in the "operations" group.

not possible pal.. u cannot apply the policy to the entire group if you want to trace just 2 or 3 of them. only way is to create another group and hav a different policy... i know it is gonna create UOU for u.. but seems to be the only way..

LucF, I think rusty is taking about a single subnet.. so they r all internal users.. VPN and dialing in doesnt come into picture here.. that just my 2 cents worth

No, I am find applying it to all of the people in the operations group.  (not OU, but group)

Yeah, we are all on a signal subnet:

192.168.1.x - Branch 1
192.168.2.x - Branch 2
etc

so what's the problem.. apply the policy to the group.. u dont hav to create a new OU, create a new group.. and a new policy and apply it to th group. here is a link describing that.. i'm sure u hav done this before.. just for ur reference though

http://www.serverwatch.com/tutorials/article.php/1497881

Can't you have the external people on a differend subnet. Just create an extra scope...
Or put those people in a different group...

If you can't, then you're really out of luck on this one...
... It can't be done.

LucF

What??  There are no external people.  

I have four branches.  Branch 1 is the 192.168.1.x branch, it has all of the servers, DCs etc.  Branch 3 is the one with these problem children...they login authenticating to our DCs, accessing our servers etc.

If you are running login scripts for these individuals it is safe to assume that you are also mapping drives for the individuals?  Would it be feasible to add several lines to the script to append to an auditing text file without causing distress amonst the employees?

Say for instance if you are running a batch login script you could add a couple of lines for the individuals in question(I do not have access to a Win9X system to test with but there are other alternatives if this command will not work for them):

IF %USERNAME%==johnsmith ECHO %USERNAME% %DATE% %TIME% >> X:\Folder\AUDIT.LOG

Restrict access to the folder to just the individuals in question and the manager that is inquiring about their logins.

Depending on the email software you are using it is possible that you could code a WSH script to send an email either via the login scripts from the clients systems to send out as soon as they have logged in, or if you are versed in ADSI you could go as far as to setup a script that runs once an hour to check to see if they have logged in and then send out an email either from your system or the server.  It would not be as accurate as if you were to turn auditing on, but it will give a general idea to the manager.

But I have only 4 login scripts:
1) Branch 1
2) Branch 2
3) Branch 3
4) Branch 4

I guess it isn't going to be something feasible.  Sorry about that..I am going to leave the question open for a bit in case someone else has a great idea that might help me out with my strict guidelines.

> Branch 3 is the one with these problem children...
than, why don't you split up this branch??? How hard can it be?? Can you please explain what the problem is with this??

As you said in your question "for his field workers to have computer access"
So I assume these are laptops or at least computer not used internally.
Why don't you place it in the Startupfolder so it'll be ran everytime the computer starts? If they make connection to your network, the manager will get a message, if they don't your manager won't get the message.

LucF

What do you mean split up this branch?  It is a branch with about 50 users...I can't very well split it up.

I thought I had explained before that they are internal users/computers.

It isn't for just one computer, it is to be used for every computer in that office...because they jump from one to another.

You, completely lost me there, I've no idea what the problem is.
>It is a branch with about 50 users...I can't very well split it up.
Why not
Branch3.1 (47 users) => this loginscript
Branch3.2 (the troubling 3 users) => another loginscript.

And what about the "field workers"??? What kind of connection do they use to login to the network??? What kind of computers do they use??? Are it always the same computers that go on "field work"???

Please explain, I'm trying to help, but this way, I haven't got a clue on what you have or what you want.

LucF

But what I was saying is that I do not want to make an exception, or a seperate net just for 3 users.

The field workers walk into the building & connect to a workstation in the building, they pick a random one that doesn't have anyone using it.

If a solution includes adding another subnet, OU, personal login script or anything like that, thanks for the suggestion, but it isn't going to happen because of the need for organization & continuity.

I'm not sure I understand from your perspective why modifying the main login script for 'Branch 3' to create an audit log for 3 users is not a feasible option.  Is there any particular reason why you can not add a few lines to the login script to produce the log for you or is it against company policy altogether to make the modification?

Not against company policy, but against practical policy.  I cannot start making little changes on the whim of a particular managers needs...because soon enough I have thirty different login scripts or variants...hundreds of OU's, and a complete mess.

pal, just create a group in the OU and apply the GPO.

Can I decide what the answer would be?

Without understanding the company situation & the way it HAS to be organized, please do not tell me what the answer will be.

I guess there is no way to answer this question, I will close it out.

calm down.. we are just trying to help you out.. anyways good luck with your problem. Hope you will solve it more efficiently that suggested by us.

I am plenty calm...I just think it is very presumptious of you to assume that your answer is going to be perfect for me.  It may be a right answer, but it is not the right answer.

I have objections!!

We gave working suggestions to solve this problem,
rustyrpage wants solutions, but he doesn't want to change anything. If he's not happy with the answer, I can accept that.
But I spent a lot of time trying to help him, and gave him workable solutions.

quote:
>I cannot start making little changes on the whim of a particular managers needs...because soon enough I have thirty different login scripts or variants...hundreds of OU's, and a complete mess.

That's his problem, but it will really solve his problem and help out his managers. It's a workable solution I provided, rustyrpage just has to explain to his managers that changing things like this doesn't make his life easier, so it's a one time change....

LucF

It's not for making my life easier...it is for making the individual branch IT people that come in easier...it is for making organization rather than chaos.

The solution I asked would be one that could be applied to that individual person...but I cannot create new OU's or login scripts.  I am aiming for a way to make some sort of change in AD or something that will create a log file or notify me when something changes.

In Novell I used to be able to know when the last time someone logged in was, now I don't even have that capability, that I am aware of.

Thanks LucF..

I have objections too..

Both mine as well as LucF solutions would work if "rustyrpage" is ready to change something in his setup. If the whole idea is not to change anything, then there is no point in asking the question. Further in addition to that, I didn't like rusty's posting in the community support saying "no one knows answer to this question"... that's not fair. we provided him the answers, but he doesn't want to agree.

But the fact of the matter is that is not a solution to my question.  It would work...yes....but not for what I need.  

Like I said before, you have some answers, but it is not the answer.

What you have to realize, and since you seem to be so upset about it, I will go into some of the politics:

Our system administrator setup the system in a manner that anyone could come in & understand what OU is for what & have it workable.  As someone who works under him, although I have the ability to make the changes, he would flip out if I started to add OU's here and there, just so that I can do various things that he used to be able to do in Novell without any changes. Now, I know how to create OU's...but even more I could obviously just create a 5th login script & assign it to those users...but the thing is that that is a messy approach.  In a corporation as big as ours, if you make a change like that to one user, it begins to cause problems in the long run.  Say next year we decide to map something new to the Z: drive.. I change my four login scripts, and then all of a sudden those three guys don't work....you just have to understand that in a company where there are 200+ computer users over 4 main branches & 10 remote offices, you can't go making exception rules.

Now I wouldn't have a problem making changes to a certain user object, simply because it doesn't matter in the long run...but I am getting the impression that that cannot be done...and as such, I would like retract this question because it will not be suitable for my particular event.

We gave you workable solutions rustyrpage, you don't like 'm, your problem, but they do work.

> It's not for making my life easier...it is for making the individual branch IT people that come in easier...it is for making organization rather than chaos.
You've probably never heard of ITIL, but if you document these kind of changes, it won't be a chaos!!

AnnieMod, please do something about this....
I don't know what I can do to let rustyrpage understand us.

adonis1976,
ThanQ for agreeing with me.

I have no problem giving you the points...but the fact is that you didn't answer the question!  "I don't know what I can do let LucF understand this".  You could tell me all of that all day long, but I am not an idiot, I already knew how to do all of that, and if I felt that was a viable answer, I would have just done it!

LucF & adonis1976 - Please realize that I am only accepting points because I am tired of receiving notification E-mails...and it is starting to upset me that you insist on your answer being right.  I am not denoting the fact that your answer may be workable...however, it is not going to work in a corporation.  I appreciate your efforts, and that's another reason I gave you the points because I do not want you to feel that you worked hard on getting me solutions.

Thank you.

adonis1976 - You will find more points in another post for you

Are you kidding me???  C would be average, yes...I feel their responses were average...B would be sufficient for my needs.  The only reason I gave the points is because they did work for it & I was getting annoyed with the E-mails.  I am at the same point I was at before I started this whole thing.

Anniemod, I think this question should get at least a "B" grade, and also some points for adonis1976, do you agree if I post a "points for adonis1976" question, as I don't expect one from rustyrpage.

LucF...there is already a points for adonis1976...and no, it doesn't deserve a B

rustyrpage, I'm not trying to annoy you, I tried to help you, I gave a workable solution. Can you explain me why this isn't worth a "B" grade?

Is is because you don't like it?? If so, read this:
1) Even a "no, you can't do that" is a valid answer.
2) The solutions we gave you will work.
3) We put a lot of effort trying to help you and you should really contact your managers about this.

adonis1976, your point for question can be found at http:Q_20791449.html and if you don't get at least a "B" grade I will contact the administrators of EE (I hope AnnieMod will help me on this one) so you will get it. (no offence to anyone)

LucF

I do take offense to it...in school, C stood for average answer...in my opinion your answer was average...it didn't help me, but it didn't make me dumber.  It was nothing that I couldn't have done on my own..I learned nothing new.  

No, you can't do this is an answer I never received...all I received was "the answer is this".  The point is that, that solution didn't work for me. Have you ever been in an IT department for a company this large?

> Have you ever been in an IT department for a company this large?
Yes I have! And still am. 450 users at this moment at 5 different locations all connected trough VPN, working at 58 different locations trough out the country.

Take a look at: https://www.experts-exchange.com/help.jsp#hi73

sorry Lunchy, your comment wasn't there when I submitted.

Thank you for supporting my C: grade:

If you have given the Expert(s) ample time to respond to your clarification posts and you have responded to each of their posts providing requested information; or if the answers, after clarification, lack finality or do not completely address the issue presented, then a "C" grade is an option.

Lunchy, AnnieMod, help! please...

A: - Definetely not
B: "B: The Expert(s) provided an acceptable solution, or a link to an acceptable solution, that you were able to use, although you may have needed a bit more information to complete the task. " 
         I do not feel that you provided a solution that I was able to use.
C:  "If you have given the Expert(s) ample time to respond to your clarification posts and you have responded to each of their posts providing requested information; or if the answers, after clarification, lack finality or do not completely address the issue presented, then a "C" grade is an option. "  I do feel that your answer lacked finality

Sorry Lunchy...I don't want to argue...I also don't want LucF to have hard feelings, but I just don't feel that a B is justifiable.  If it is really going to have that much an effect on his day, then please change it...but his answer lacks finality & as such, I felt it deserved a C...I read each grading scale fully, and still feel justified in my response.

LucF...I will no longer post questions in Experts Exchange because of the lack of friendliness & understanding of an individuals siutation.  I will however continue to answer questions as I feel that I have been able to help people in the past with problems & do have valuable information (much like you do most of the time) to add to people's questions

I don't mean to offend you, but I think you're overreacting...

>I also don't want LucF to have hard feelings,
I don't have any hard feelings... try to understand that, I'm just dissapointed...

>because of the lack of friendliness
I have provided possibilities troughout this whole question, never ment to offend anyone.

I'm not at EE for the point, but I like to be apreciated for what I try to do to help people, including you, solve their problems.

I will do my best to help you on your other questions, it's just this one where I don't agree with you.

Hope you understand my point.

LucF

You know what...I have gotten more E-mails from this one question today than my whole help desk organization...so, give him the B...I am sick of this.  The question was never how can I add people to an OU...I am well aware of the ability to add users to an OU & apply login scripts to them.  I asked, in my initial question how to apply policies...I said nothing about login scripts.  I saw no solution that included policies....only login scripts

I don't want the grade to be a slight on LucF...change it to a B & let's get it over with

ThanQ, rustyrpage, Lunchy and AnnieMod

Just trying to be helpful here, not flood you with more comments rusty, just wanted to post and let you know that, to at least a certain extent, some of what you are asking for can be done, it just depends on what your resources are to make it happen.  Using ADSI, as previously mentioned in my first comment, you can pull 'last login' information from from user objects in Active Directory, as well as a multitude of other bits of information as listed at this link:  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/iadsuser.asp

Since reworking login scripts and loading software is not an option for you, perhaps you could write a script that can be run daily on your system that would poll this information and could then be emailed to the manager?  I know from personal experience that you can also automate Outlook to create the email for you automatically, and it is possible that other mail clients also support the same type of automation.

Here is an example of an ADSI script:  http://support.microsoft.com/default.aspx?scid=kb;EN-US;277717

If this sounds as if it might be a feasible option for your environment and would like more details I would be more than happy to follow up.  I am not concerned about points, just trying to be helpful and please do not misconstrue my prior message as being overbearing, I was just trying to reach some clarity as to your situation and why some options were not available.