VBScript to detect authorised remote login session

Hi Experts,
I would need some VBScript to achieve the following results:-

I have some designated gateway servers for vendors to use.
For this, I would need VBScript (which will be used as part of login script) to detect if any vendors are logging to servers without going through gateway servers and alerting via email.

Basic idea will be all remote login must be going through Gateway servers, for example
GateServer1 -
GateServer2 -
GateServer3 -
GateServer4 -
GateServer5 -

Script logic will be like:-
1) If remote source server name/ip does not match GateServerX or GateServerIP, create a new Event Source (VENDORS) with Event ID (8888) in target server application log for audit purpose.

2) In the newly created event should capture the following information:-
a) User ID logged on
b) Source Host Name/IP
c) Type of login session: RDP-TCP or ICA-TCP etc
d) Login server name - Server name that user is logged on
3) Flag out an email notification to Administrators for furter action.

4) This script should only detect RDP-Tcp# session, if it's Citrix session like ICA-TCP# session, can be ignored.


Kung Hui
Who is Participating?
eastmsConnect With a Mentor Commented:
Here is what i use as a login script for a few of my sensitive accounts, its ugly but works well for me:

Sample email generated:

User sysadmin has logged into COMPUTER1
Current Location of computer in AD:
Building 1
North Site

'Send email to You
Dim objShell
Set objMessage = CreateObject("CDO.Message") 
set objNet = CreateObject("wscript.network")
Set objShell = CreateObject("WScript.Shell")
'OU finder area
Set objSysInfo = CreateObject("ADSystemInfo")
strComputer = objSysInfo.ComputerName

Set objComputer = GetObject("LDAP://" & strComputer)
'i split OUs into seperate lines to make it easier to read in email.  If you dont have as many nested OUs you may remove some of the arrays below or an error may occour

arrOUs = Split(objComputer.Parent, ",")
arrMainOU1 = Split(arrOUs(0), "=")
arrMainOU2 = Split(arrOUs(1), "=")
arrMainOU3 = Split(arrOUs(2), "=")
arrMainOU4 = Split(arrOUs(3), "=")
arrMainOU5 = Split(arrOUs(4), "=")


rempcname = objShell.ExpandEnvironmentStrings("%CLIENTNAME%")

if rempcname = "%CLIENTNAME%" then
		rempcname = "Console"
	end if

'wscript.echo rempcname

'i split OUs into seperate lines to make it easier to read in email.  If you dont have as many nested OUs you may remove some of the arrays below or an error may occour
strmsgbody = ""
strmsgbody1 =   "User " & objNet.username & " has logged into "  & objNet.ComputerName &VbCr _
& "Current Location of computer in AD: " &VbCr _
& arrMainOU1(1) &VbCr _
& arrMainOU2(1)&VbCr _
& arrMainOU3(1)&VbCr _
& arrMainOU4(1)&VbCr _
& arrMainOU5(1)&VbCr _
& "Logged in via: " & rempcname

objMessage.Subject =  objNet.username & " logged into "  & objNet.ComputerName & " via " & rempcname
objMessage.From = "no-reply@domain.com" 
objMessage.To = "you@domain.com" 

objMessage.TextBody =  strmsgbody1 

'==This section provides the configuration information for the remote SMTP server.
'==Normally you will only change the server name or IP.
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 

'Name or IP of Remote SMTP Server
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "SMTP.DOMAIN.COM"

'Server port (typically 25)
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 


'==End remote SMTP server configuration section==


Open in new window

kunghui80Author Commented:
Hi eastms,
The script does not cover all the perspective of my question for Item 1-4.  Item 1 & 4 were not accomplished, but the script provided does lead me to achieve those subsequently.

Thanks for assistance.

Kung Hui
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.