I’ve had a few issues with contractors logging directly into server, rather than using remote management tools. This script requires a scheduled tasks with a number of event triggers depending on what you want to alert on. I’m not too fussed when they log off or disconnect, but I do care seeing when they login or reconnect.<\/p>\n
<\/p>\n
<#\r\n.Name\r\n RDP_Connected.ps1\r\n.DESCRIPTION\r\n Powershell script that sends an email when someone RDP's to a Win2012 server.\r\n.PARAMETERS\r\n None.\r\n.Version\r\n 0.1\r\n.Author\r\n Kyle McDonald\r\n.Compatibility\r\n Windows 2008 R2 and higher\r\n.Release Date\r\n July 2015\r\n.NOTES\r\n Create a scheduled task based on the following two triggers;\r\n - Trigger 1: When a specific event is logged\r\n --- Log: Microsoft-Windows-TerminalServices-LocalSessionManager\/Operational\r\n --- Source: TerminalServices-LocalSessionManager\r\n --- Event ID: 21\r\n - Trigger 2: When a specific event is logged\r\n --- Log: Microsoft-Windows-TerminalServices-LocalSessionManager\/Operational\r\n --- Source: TerminalServices-LocalSessionManager\r\n --- Event ID: 25\r\n \r\n Event IDs Descriptions;\r\n - ID 21: Session logon succeeded\r\n - ID 23: Session logoff succeeded\r\n - ID 24: Session has been disconnected\r\n - ID 25: Session reconnection succeeded\r\n#>\r\n \r\n# Get hostname\r\n$hostname = $env:computername\r\n$DomainName = $env:userdnsdomain\r\n \r\n# Get all logon\/logoff events\r\n# $rdp_message = Get-WinEvent -logname \"Microsoft-Windows-TerminalServices-LocalSessionManager\/Operational\" | where {($_.Id -eq \"21\" -OR $_.Id -eq \"24\" -OR $_.Id -eq \"25\" -OR $_.Id -eq \"23\")} | select -first 1 | ft TimeCreated,Message -auto -wrap | Out-String\r\n \r\n# Get only logon and reconnections\r\n$rdp_message = Get-WinEvent -logname \"Microsoft-Windows-TerminalServices-LocalSessionManager\/Operational\" | where {($_.Id -eq \"21\" -OR $_.Id -eq \"25\")} | select -first 1 | ft TimeCreated,Message -auto -wrap | Out-String\r\n \r\n# Configure email.\r\n$SMTPserver = \"mail.contoso.com\"\r\n$From = \"$hostname@$DomainName\"\r\n$To = \"user@contoso.com\"\r\n$Subject = \"Someone RDPd into $hostname!\"\r\n$body = $rdp_message\r\n \r\n$message = new-object Net.Mail.MailMessage($from,$to,$subject,$body)\r\n$message.IsBodyHtml = $True\r\n \r\n$smtp = new-object Net.Mail.SmtpClient($smtpserver)\r\n$smtp.Send($message)\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"I’ve had a few issues with contractors logging directly into server, rather than using remote management tools. This script requires a scheduled tasks with a number of event triggers depending on what you want to alert on. I’m not too Continue reading Powershell script to alert when someone RDP’s to a server<\/span>