I was digging around to find a way to get an email when someone logged on to our source control server. It is a pretty important server, so I want to make sure people are only logging into it when they are supposed to.
When I first started working on this idea I was going to write a custom application, and use that along with blat. Blat is an email sending program that can be used from the command line.
I was surprised that I could get exactly what I wanted, without any third party application. This works for 2008, Vista, and Windows 7 – if you are still running Windows 2003 you will need to cobble together a collection of apps that will accomplish this (Sorry)
Start out by opening the event viewer. Right click on the security log on the left hand side. Click on the menu item that says “Attach a task to this log”, and a task wizard will be displayed.
Type in a description for your task:
This page is annoying. I have not had time to test on other systems. But on mine all the fields are disabled. It would be nice if I could enter the info I wanted here. Instead we will need to go into the advanced settings of the task – more on that in a little bit. Just click next.
See. There is our option. Send an email. You could launch a program too, or have a message pop up for a specific user
Fill out your email settings. I pointed it at our internal exchange server:
Very important Don’t miss this one. Make sure you check the option to open advanced properties. Otherwise you will get an email message for every entry in the security log:
Click finish, and the advanced properties are displayed. Set the task to always run. Otherwise it would only run while you are logged on – and that would be silly
Go to the “Actions” tab, and double click on the only action listed
Set your source as “Microsoft Windows security auditing.” And your event ID number as 4624 (You can use 4634 for logoff)
Click OK and you are done. When someone logs on to your system, you will receive an email notification with all of the event info.
The best part about this tip is that you don’t need any third party apps – it is all built into Windows.
One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools
{ 27 comments… read them below or add one }
Thanks,
But does it show the user that has actually logged on to the server?
just a small note:
Go to the “Actions” tab, and double click on the only action listed
should be:
Go to the “Triggers” tab, and double click on the only action listed
Hai, how to hide client system ip address to the intelliadmin by using clinet? is there any possible?
any idea how to have the script differentiate between a real meat world log on and a log on by Advapi?
They both generate an event ID of 4624 so I get hit with loads of emails.
Look for a way to lock it down to human log on only.
TIA.
The logon type for people sitting in front of the machine is 2.
This article shows how to get a report of this…use the script mentioned in the article and you should be able to modify it for your needs:
http://www.intelliadmin.com/index.php/2012/07/see-who-logged-on-to-a-computer-and-when/
how do i remove it ??
urgent
Hello Manish,
What are you trying to remove?
Thanks,
Steve
Thanks
Guys any idea how can i disable this alerts created under event viewer. This is just filling up my mail box every second. Please help
Is there any way to get an email when someone logs off? I just need this feature once a month when I’m doing regular maintenance. Too many users working via VPN all day long to let me boot the server anymore.
Hi,
I get the email notification but i don’t get any detail of login, could you please advise ? I expect to receive at least the ip address and time of login.
Thank you
Amit
Dear Support,
I am not able to send mail from security log
______________________________________
Task Scheduler failed to complete task “\Event Viewer Tasks\Security” , instance “{82e2e8a3-51db-48e4-9cdb-9c657b476b1f}” , action “login mail” . Additional Data: Error Value: 2147746321.
This error we are receiving kindly help I really appreciate for your help
Thanks
Ram
That error message 2147746321 means: CDO_E_SMTP_SEND_FAILED
This means you can’t send mail through the server. I would check the script by hand before running it as a task and see where the issue is.
How to delete the created event in the security please its urgent
How to delete the created event in the security please its urgent hurryyyyy
mr.Steve Wiseman
Hi Mohammed,
You can’t delete one event. MS has built it this way for security reasons. You would just need to clear the entire log…but then someone would notice that 🙂
Hi,
I want to know, how can you send an e-mail without your smtp credentials. I’m trying to create a scheduled task but this task can not send an e-mail (because I didn’t write my password etc.)
Thanks
How to do you modify this task. I am receiving way too many e-mails all night long from this task?
For those of you who don’t know how to delete a task go into task scheduler – (administrative tools > Task Scheduler) and click on the task library select the task and delete it.
Also if you wan a way that won’t spam you to death setup the task manually however set the trigger to “At log on” instead of on events. Also add in 2 more trigger for “On Connection to user session” 1 for remote and 1 for local.
This way you will only get genuine logons and not from every time somebody connects to a file share or uses some other server resource.
Excellent! Works great, is there no way to pull the users info? I mean we have over 50users in my organisation… Is there no way to pull each user name?
Good Job, Worked Perfect, Also thanks to Michael for the complement.
Sweet. I needed to do the exact same thing for login notification, and I had no idea this feature existed. Thanks!
I just got an pop up error message saying:
An error has occured for the task user logon email notification. Error message: User account restriction error. The possible reasons are that blank passwords not allowed, or that a policy restriction has been enforced.
Hello All,
I followed the steps and configured the alerts.
I did log off and log in on to the server but still I have not received any email Alert
You should use event ID 4648 or you will have the mailbox flooded with emails 😉
Is this possible using gmail smtp? Our organization uses google for work.
Guys, i have problem with Windows 10, any Ideas? because this feature have been removed…
Apparently, it’s deprecated in windows 10.