The script and group policy below will allow you to monitor a specific group of users logging on to certain workstations/computers. This is helpful if you believe users are logging onto machines in an unusual pattern or to workstations they probably shouldn’t be. Of course you can lock users down to specific machines, but in this situation, that wasn’t an option for me.

NotifyLogon.ps1

$mailBody = "[{0}] {1} has logged on to {2}" -f $(Get-Date),$env:USERNAME,$env:COMPUTERNAME
$mailSubject = "[{0}] {1}" -f $env:COMPUTERNAME,$env:USERNAME
Send-MailMessage -Body $mailBody -From logonalerts@contoso.com -SmtpServer "mailserver.contoso.com" -Subject $mailSubject -To helpdesk@contoso.com 

This script sends a basic email in the format:

[17/08/2011 4:31:29 PM] kim.akers has logged on to KIOSK14

Next, create a group policy to assign this as a logon script for users when they log onto machines in the specified OU:

Computer Configuration\Policies\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode: Enabled (Merge) User Configuration\Policies\Windows Settings\Scripts\Logon: NotifyLogon.ps1

Link this policy to the OU containing the Computers you wish to monitor, and set your security filtering to allow the policy to apply to these Computers (I use the Domain Computers group) and the Users whom you wish to monitor.

Comments/questions

There's no commenting functionality here. If you'd like to comment, please either mention me (@[email protected]) on Mastodon or email me. I don't have any logging or analytics running on this website, so if you found something useful or interesting it would mean a lot to hear from you.