HostWeb Forums » Microsoft Server Operating Systems » microsoft.public.win2000.group_policy » Login script
Topic: Login script
Hi
Does anyone know or have a script that will send me an email when a user
logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
credentials)?
We're assuming that some of our company users know local admin password, so
we want to know if someone tries or logs into his computer like local admin?
Is this possible, or how can this be done?
Thank you in advance !
Regards,
Miha
Replies below ↓
Replies
Re: Login script
Howdie!
Miha schrieb:
> Does anyone know or have a script that will send me an email when a user
> logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
> credentials)?
> We're assuming that some of our company users know local admin password,
> so we want to know if someone tries or logs into his computer like local
> admin? Is this possible, or how can this be done?
Not a ready-to-go script but what you basically need is the ifmember.exe
from the Resource Kit (iirc) and some command line mailing program like
blat (which is free). If I'm correct, blat doesn't need to be installed
and can be called off a network share. You need to explore yourself.
I guess that script can be done with a few lines of batch.
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Re: Login script
"Miha" <miha.bernik@email.si> wrote in message
news:9A73E8CF-5187-4DE2-82AE-910F857CE42E@microsoft.com...
> Hi
>
> Does anyone know or have a script that will send me an email when a user
> logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
> credentials)?
> We're assuming that some of our company users know local admin password,
> so we want to know if someone tries or logs into his computer like local
> admin? Is this possible, or how can this be done?
> Thank you in advance !
> Regards,
> Miha
AFAIK the environmental variable %UserDomain% will tell
whether a user gets validated locally or on the domain. As Florian
says, use blat.exe to send yourself a note when this happens.
Re: Login script
"Miha" <miha.bernik@email.si> wrote in message
news:9A73E8CF-5187-4DE2-82AE-910F857CE42E@microsoft.com...
> Hi
>
> Does anyone know or have a script that will send me an email when a user
> logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
> credentials)?
> We're assuming that some of our company users know local admin password,
> so we want to know if someone tries or logs into his computer like local
> admin? Is this possible, or how can this be done?
> Thank you in advance !
> Regards,
> Miha
Further to my previous note: The question I failed to answer is
WHAT can you use to trigger the script to send you a message.
You cannot use your domain logon script (since it won't get
executed under local log-ins) and you probably cannot use a
local login script (because it would be visible to the user). I'll
think about this one a little more. Perhaps WMI has a solution.
Re: Login script
It is possible with a little work. There are many steps.
All of this can be done in any order, you just need all the pieces before it
will work, there may be a better way.
-(change share) Create a share on a server that is accessible to all
computers. In the Share Permissions set Everyone to Change and Anonymous
Logon to Change. In this directory create a log file named something like
locals.log. (this is done because the local users don't actually have rights
on a domain server)
-(read share) Create a share on a server that is accessible to all
computers. In the Share Permissions, set Everyone to Read and Anonymous
Logon to Read. In that shared directory, create a script maybe called
localcheck.vbs (I suggest encoding it to a vbe) that can determine if the
logged on user is a local user or not and make it log the information in the
locals.log file created in the previous share.
- Now, create a script named something like checkreg.vbs that will check the
systems registry HKLM\Software\Microsoft\Windows\Run. Using this script you
add the execution of the localcheck.vbs that we created in the previous
step. You can just use All Users - Startup but if users are local admins,
they might keep removing the entry. Storing in the registry is a little
harder to find and if you don't want to edit the registry with a logon
script you can just do a mass remote registry edit. When you add the entry
in registry use something like "wscript.exe
\\server.domain.com\(ReadShareName)\localcheck.vbs" using the full UNC will
ensure that if the DNS suffix is different, you can still get to the script.
- In a Group Policy, add the checkreg.vbs as a startup script to the OU that
contains the computer that you want to check.
Now that you have everything logged, you can pretty much determine what is
going. If you are still wanting an e-mail when it happens so you can respond
asap, you need to do the following.
The reason we did all the previous steps is because I assume that your
workstations are not authorized to send mail. So you just need to authorize
the server that contains the Change Share we created before and create a
file monitor described in this link:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0404.mspx
Use the __InstanceModificationEvent event on the locals.log file to send you
a e-mail.
I hope this is understandable.
Thanks,
Allan
"Miha" <miha.bernik@email.si> wrote in message
news:9A73E8CF-5187-4DE2-82AE-910F857CE42E@microsoft.com...
> Hi
>
> Does anyone know or have a script that will send me an email when a user
> logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
> credentials)?
> We're assuming that some of our company users know local admin password,
> so we want to know if someone tries or logs into his computer like local
> admin? Is this possible, or how can this be done?
> Thank you in advance !
> Regards,
> Miha