Active Directory Logon Script

for some time now we used batch script to log user logon to theirs domain computers. What we collected via this script was something like this:

Mon 02.01.2017., 7:55:06,64,user1,AD-PC1,Windows 7 or Server 2008R2,32 Bit
Mon 02.01.2017., 7:55:42,90,user2,AD-PC2,Windows 7 or Server 2008R2,64 Bit
Mon 02.01.2017., 7:55:46,51,user3,AD-PC3,Windows 7 or Server 2008R2,32 Bit
Mon 02.01.2017., 7:55:50,94,user4,AD-PC4,Windows 7 or Server 2008R2,64 Bit

But now (well not now, but some time ago) Powershell started to improve IT life.
So logon script that I use now on my domain is as follows:

$ipV4 = Test-Connection -ComputerName $env:ComputerName -Count 1  | Select -ExpandProperty IPV4Address

$Date = Get-Date -format “dd.MM.yyyy HH:mm”

$OutputFile = ‘UNC Path\logon.txt’

$TotalMemory = (Get-WMIObject -class Win32_PhysicalMemory |Measure-Object -Property capacity -Sum | % {[Math]::Round(($_.sum / 1GB),2)})
$String = $Date +”, “
$String += $env:UserName +”, “
$string += $env:ComputerName  +”, “
$string += $ipV4.IPAddressToString +”, “
$string += (Get-WmiObject -class Win32_OperatingSystem).Caption +”, “
$string += (Get-WmiObject -class Win32_OperatingSystem).OSArchitecture +”, “
$string += (Get-WmiObject CIM_ComputerSystem).Model+ ” (” + (Get-WmiObject CIM_ComputerSystem).SystemFamily + “) sn:” +(Get-WmiObject Win32_Bios).Serialnumber +”, “
$String += [string]$TotalMemory +”GB RAM, “
$String += “IE: ” + (Get-ItemProperty ‘HKLM:\Software\Microsoft\Internet Explorer’).SvcVersion
$string | Out-File $OutputFile –Append

And now we get full information who logged on, at what time, from what IP address and from what particular PC
Now collection looks like this:
29.09.2017 18:21, user1, AD-PC1,, Microsoft Windows 7 Professional , 32-bit, Model1 (Lenovo X230) sn:1111111, 4GB RAM, IE: 11.0.9600.18762
29.09.2017 18:36, user2, AD-PC2,, Microsoft Windows 7 Professional , 32-bit, Model2 (HP370 AIO) sn:11111112, 4GB RAM, IE: 11.0.9600.18762
29.09.2017 18:39, user1, AD-PC3,, Microsoft Windows 7 Enterprise , 64-bit, Model3 (XXXXXX) sn:1123141, 4GB RAM, IE: 11.0.9600.18762
I suggest you open the txt file with Notepad++ because it does not lock file for further write.

Good Luck!

Active Directory User Auditing – SCOM 2012

In my last chapter I was talking about User AD account audit with power shell scripting and Task Scheduler. I also provided an list of Event IDs.
This time I will show you how to create those notification through System Center Operations Manager.

In OM  Console open Authoring,

the next thing is to go to rules and create new one.

These events are Security Events in NT Events, so we choose Alert Generating Rules, then Event Based, then NT Event Log

My suggestion is to create an Custom AD User Events Management pack in which to store those rules. It is easier to edit, or change some things if you have your own packs.

Now select Default Management Pack, or newly created AD Custom Pack,

After this, name your Rule, set Category and target.
Targets are Domain Controllers, which you defined when

Next, set logon type as security, because it is a security based rule.

Create expression for Event ID 4740 from Security Auditing

On the next screen, you have an option the design your own alert description, with Priority and Severity. I suggest you set for locked account to Low Warning.
Now in description you have an option to use already configured placeholders, or you can create your own.
When you create it, then you can test it by locking some account.

As you see, I have two Domain controllers, and account is locked on both, which is ok, since the DCs are synced.

Now you can create these rules for all the event IDs you like.

Good Luck

Active Directory User Auditing – Simple

For my Audit report, I had to create an audit list about creating,deleting,disabling,enabling,locking, unlocking my AD users.

Since we haven’t had a SCOM on our premises, I hade to come up with something that will trigger an e-mail to me with an event.
First of all you have to enable user auditing on Default GPO.


After that, I connected to my primary domain controller and created an Powershell script (with a little help from which sends an e-mail in HTML form to me, with some parameters.
First of all, it creates HTML file with a table, which then populates from Security Event under Event ID 4740. After it populates HTML file, this table sets as an body, and sends it to email addresses.

   1: #$DC = "DCServerName" 
   2: $Report= "C:\Admin\lockedaccount\locked.html" 

   3: $HTML=@" 

   4: <title>Account locked out Report</title> 

   5: <style> 

   6: BODY{background-color :#FFFFF} 

   7: TABLE{Border-width:thin;border-style: solid;border-color:Black;border-collapse: collapse;} 

   8: TH{border-width: 1px;padding: 1px;border-style: solid;border-color: black;background-color: ThreeDShadow} 

   9: TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color: Transparent} 

  10: H2{color: #457dcf;font-family: Arial, Helvetica, sans-serif;font-size: medium; margin-left: 40px; 

  11: </style> 

  12: "@ 

  13: $Account_Name = @{n='Account name';e={$_.ReplacementStrings[-1]}} 

  14: $Account_domain = @{n='Account Domain';e={$_.ReplacementStrings[-2]}} 

  15: $Caller_Computer_Name = @{n='Caller Computer Name';e={$_.ReplacementStrings[-1]}} 

  16: $event= Get-EventLog -LogName Security -ComputerName $DC -InstanceId 4740 -Newest 1 | 

  17:    Select TimeGenerated,ReplacementStrings,"Account name","Account Domain","Caller Computer Name" | 

  18:    % { 

  19:      New-Object PSObject -Property @{ 

  20:       "Account name" = $_.ReplacementStrings[-7] 

  21:       "Account Domain" = $_.ReplacementStrings[5] 

  22:       "Caller Computer Name" = $_.ReplacementStrings[1] 

  23:       Date = $_.TimeGenerated 

  24:     } 

  25:    } 

  26:   $event | ConvertTo-Html -Property "Account name","Account Domain","Caller Computer Name",Date -head $HTML -body  "<H2> User is locked in the Active Directory</H2>"| 

  27:      Out-File $Report -Append 

  28: $MailBody= Get-Content $Report 

  29: $MailSubject= "User Account locked out" 

  30: $SmtpClient = New-Object 

  31: $ = "" 

  32: $MailMessage = New-Object 

  33: $MailMessage.from = “” 

  34: $MailMessage.To.add(“ 

  35: $MailMessage.Subject = $MailSubject 

  36: $MailMessage.IsBodyHtml = 1 

  37: $MailMessage.Body = $MailBody 

  38: $SmtpClient.Send($MailMessage) 

  39: del C:\Admin\lockedaccount\locked.html 

After creating this powershell script, the next step is to create an Event Trigger which will send this e-mail.
This is done through Task Scheduler.


This trigger works when Event with 4740 ID is generated in Security Event Viewer.


-command "& 'C:\Admin\lockedaccount\account_locked_out.ps1' "

The final result is this:



Now, you can do this with Unlock account 4767, or Disable account 4725 or deleted 4726etc.
I found out this site with lists of Event IDs : link

Good Luck