Trigger e-mail when user RDP to vCenter server.

We have strict logon policy on VMware Management servers like vCenter, View connection brokers etc. We have been looking for a solution to get alerts when someone RDP to the Management Servers (all are Windows 2008/2012).

Combination of Windows Task Scheduler and PowerShell script did the tick.

1. The following Powershell script “Get-RDPUser.ps1” will get the last terminal server (RDP) session details and send e-mail to the team in HTML table format.

2. The following steps will demonstrate how to trigger (launch) powershell script “Get-RDPUser.ps1” from the specific Windows Event of RDP login.

2.1 Launch “Event Viewer” and find the latest event on successful RDP login. It should be located under “Applications and Services logs/Microsoft/Windows/TerminalServices-LocalSessionManager/Operational” with Event ID 21. Once found, right-click on the event and select “Attach Task to This Event…” then use the defaults for the first couple screens of the wizard.

2.2 Create a task to “Start a Program” with the following parameters:

Program/script: PowerShell.exe
Add arguments: c:\scripts\Get-RDPUser.ps1.

RDPuser

2.3 Click Next.

2.4 Select “Open the Properties dialog for this task when I click finish” and select ‘Finish’. It will open properties of the task created.

get-rdpuser

3. Select “Run whether user is logged on or not” and click OK.

You should now receive email notifications whenever someone RDP into your server.

 

  • Arkady Karasin

    Great solution! I attached to Event ID 25 as well. It is session reconnect.

    But I would like to have the computer name of workstation from which user connected. Is it possible?

    • sreejeshd

      Try this script. Its not tested well. I hope it will work.

      Instead of depending on quser output, this script will read the event details and send it as e-mail.

      # From e-mail address
      $FromAddress = “vCenterAdmin@pingforinfo.com”
      # To e-mail address
      $ToAddress = “VMwareAdmins@pingforinfo.com”
      # SMTP server address
      $SMTPAddress = “relay.pingforinfo.com”

      $USERDetails = @()

      $a = “”
      $a = $a + “TABLE{border-width: 1px;border-style: solid;border-color:black;}”
      $a = $a + “Table{background-color:#ffffff;border-collapse: collapse;}”
      $a = $a + “TH{border-width:1px;padding:0px;border-style:solid;border-color:black;}”
      $a = $a + “TR{border-width:1px;padding-left:5px;border-style:solid;border-color:black;}”
      $a = $a + “TD{border-width:1px;padding-left:5px;border-style:solid;border-color:black;}”
      $a = $a + “”

      $LogOnEvents = Get-WinEvent -filterHashtable @{LogName=’Security’; Id=4624; Level=0} | Where-Object{ $_.Properties[8].Value -eq 10} | select -First 1

      $HashProps = @{
      UserName = $LogOnEvents.Properties[5].value
      ClientIP = $LogOnEvents.Properties[18].value
      LogonTime = $LogOnEvents.TimeCreated
      }
      $USERDetails = New-Object -TypeName PSCustomObject -Property $HashProps |
      Select-Object -Property UserName,ClientIP,LogonTime
      $User = $USERDetails | Select -ExpandProperty UserName

      $messageParameters = @{
      Subject = “[vCenter RDP Event] $User LoggedIn to $Computer ”
      Body = ( $USERDetails | ConvertTo-Html -Head $a |
      Out-String -Width ([int]::MaxValue))
      From = $FromAddress
      To = $ToAddress
      SmtpServer = $SMTPAddress
      }
      Send-MailMessage @messageParameters -BodyAsHtml
      }

      • Chris

        Love the second script as it displays IP address which is useful. Could you please provide modified script for when that user logs off. I think it is Event ID 23 instead of 21 (or 4634 under security log) thanks, Chris

  • jack

    Hi It doesn’t seems to working can you please update it