• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 239
  • Last Modified:

Email alert to let me know when user with domain admin rights has logged onto Server 2016 domain controller

What processes can I follow to set up an email alert to let me know when a certain user with domain admin rights has logged onto a Server 2016 domain controller?
0
IT Guy
Asked:
IT Guy
7 Solutions
 
timgreen7077Exchange EngineerCommented:
Not sure of a way this can be done natively, you may have to get a 3rd party app to assist with this.
0
 
Vince MabarySystems and Database AdministratorCommented:
Are they logging in to the DC directly (or via remote tools)?  Or are you referring to when they are authenticated in AD via the DC?
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Not trying to be nasty, but if you need to track DA like that they shouldn't be DAs because they can do this
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html

Rather give them this
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
3
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
IT GuyNetwork EngineerAuthor Commented:
Vince,

Sorry for the delay in getting back with you.

The domain administrator I am referring to would be logging into the domain controller using Remote Desktop.

How can such an alert notification be setup?
0
 
Vince MabarySystems and Database AdministratorCommented:
Np.  Okay, so you'd need something to watch for RD connections associated with that particular users credentials.  Do you have any monitoring tools at this time?  You might be able to create a custom windows log that only adds entries associated with that particular activity.  

Most common solutions for this type of issue are not going to be 100% safe from external modification (in the event that you believe the individual is a security risk).  

Not trying to dig into your business, but if you could give us all a bit more context behind the what and why, then we could possibly offer more effective measures than what you are going for right now.  Re
0
 
IT GuyNetwork EngineerAuthor Commented:
I'm currently not using any monitoring tools at this time besides checking the standard Windows logs and events.

What monitoring tools do you or other experts recommend I use to monitor and receive an email alert whenever this domain admin logs onto any of the two Server 2016 servers?

I trust this domain admin and am just curious what tools are available to provide this type of alert.
0
 
Blue Street TechLast KnightCommented:
Hi IT Guy,

I'd highly recommend installing something like Manage Engine's ADAudit Plus, there's a 30-day free trial: https://www.manageengine.com/products/active-directory-audit/?AllPrd

It will alert you (email, text, dashboard alerts) and reports on all AD-related user behavior especially security related logins, failed attempts, and other nefarious behavior - inside threats. You can easily see when and what users are logging into and it tracks the authentications per day.

Let me know if you have any questions!
0
 
IT GuyNetwork EngineerAuthor Commented:
Can Manage Engine's ADAudit Plus also be configured to send me an email alert whenever a particular user logs onto his or her Windows 10 computer and is authenticated by the domain controller?
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
You could create a scheduled task that triggers when a certain user logs on (the administrator) and have that tast trigger a cmd file. The cmd file would then send the mail using the blat mail tool.
1
 
Naveen SharmaCommented:
Have a look at Lepide's Active Directory auditing solution to track all the logon/logoff activities of Active Directory users along with this solution also sends real-time and threshold-based alerts for successful user logon or logoff, and domain controller logon or logoff.

How to track Privileged Users' Activities in Active Directory:
https://www.lepide.com/how-to/track-privileged-user-activities-in-active-directory.html
0
 
IT GuyNetwork EngineerAuthor Commented:
Gerwin Jansen, EE MVE,

Can you please provide me with the steps on how to do what you have described?
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Create a (basic) script that writes date, time and username to a log file, something like this:

@if "%username%"=="testuser" echo %date% %time% - %username% >> \\server\share\log.txt

- Open task scheduler under Control Panel\All Control Panel Items\Administrative Tools
- Create a new task under task scheduler library that has a trigger "At log on"
- Add an action "Start a program" and browse to the script (you can put the script on your logon share)
- Specify a user that will run the scheduled task under General at "Change user or group"
- Test the task by right-clicking it and select "Run" - you should see a log entry being added to the log file

What kind of options do you have for sending mail?
0
 
IT GuyNetwork EngineerAuthor Commented:
We use Office 365.

How can I send such an email using an Office 365 email address?
0
 
Vince MabarySystems and Database AdministratorCommented:
This outlines how to use a PowerShell script to perform SMTP mailing.  Can you test it?

https://www.howtogeek.com/120011/stupid-geek-tricks-how-to-send-email-from-the-command-line-in-windows-without-extra-software/
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
>> How can I send such an email using an Office 365 email address?
Sure, through vbscript but if you use Office 365 the 'sent' mail will end up in the mailbox of the user that you used. Is that what you want?
0
 
IT GuyNetwork EngineerAuthor Commented:
Yes it is OK if the sent email shows up in the mailbox of the user that is used.

How can this be done?
0
 
CoralonCommented:
It would be easier to do the scheduled task using a powershell script.  You can send the mail directly.. the main question is how much can /should this person be trusted?  Mainly because if he is a Domain Admin, this can be worked around/broken - if that person can't be trusted, then there are numerous applications that can track the Domain Admin logins.  

In short -- configure the scheduled task to run on that domain controller if that user logs in, and you will also want to schedule it at logon, and at connection to a session (both remote & local), so you end up with 3 tasks, or 1 task with 3 triggers..   The From address does not matter.. all that matters is the address you are sending to.. you need to make sure you are sending it to the domain you can check.

You create the script and put it wherever you want.. probably just on that actual DC

You're scheduled task will have:
powershell.exe -file <path>\AuditLogin.ps1 -noprofile -noninteractive

Script:
if ($env:username -eq '<username>') 
{
     $SMTPTo = 'addressToSendTo@whateverdomain.com'
     $SMTPFrom = 'AuditLoginOnDC<name>@whateverdomain.com'
     $SMTPServer = 'smtp.whateverdomain.com'
     $SMTPSubject = ('<username> logged in on DC <dcname at {0}' -f [datetime]::now.tostring() )
     $SMTPBody = 'User <username> just logged into the DC at ([datetime]::now.tostring())

     Send-MailMessage -to $SMTPTo -from $SMTPFrom -subject $SMPTSubject -body $SMTPBody -smtpserver $SMTPServer
}

Open in new window



This will catch the interactive logins (console, RDP), but will *not* catch other logins, such as network, psexec, powershell remoting, etc.  If those are going to be situations to need to be looked at, then you will need to look at the third party auditing tools, or start doing some extensive auditing of the security logs, which will pick those up.  

If the DA can't be trusted, then you'll find cleared logs, overflowed logs, etc. But, as mentioned above, if they can't be trusted, you have to really reconsider that person's position.

This is specific to catch one person on one particular machine.. if you want to monitor things more generally, then you will want to use a GPO or use a login script, and add the $env:computername variable wherever you want (subject,  body)..

Coralon
0
 
Blue Street TechLast KnightCommented:
Can Manage Engine's ADAudit Plus also be configured to send me an email alert whenever a particular user logs onto his or her Windows 10 computer and is authenticated by the domain controller?
I'm not sure...I know the dashboard would show and alert to that but you'd have to ask them or play around with the free trial.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now