Trigger e-mail when user RDP to vCenter server.

We have strict logon policy on VMware Management servers like vCenter, View connection brokers etc. We have been looking for a solution to get alerts when someone RDP to the Management Servers (all are Windows 2008/2012).

Combination of Windows Task Scheduler and PowerShell script did the tick.

1. The following Powershell script “Get-RDPUser.ps1” will get the last terminal server (RDP) session details and send e-mail to the team in HTML table format.

2. The following steps will demonstrate how to trigger (launch) powershell script “Get-RDPUser.ps1” from the specific Windows Event of RDP login.

2.1 Launch “Event Viewer” and find the latest event on successful RDP login. It should be located under “Applications and Services logs/Microsoft/Windows/TerminalServices-LocalSessionManager/Operational” with Event ID 21. Once found, right-click on the event and select “Attach Task to This Event…” then use the defaults for the first couple screens of the wizard.

2.2 Create a task to “Start a Program” with the following parameters:

Program/script: PowerShell.exe
Add arguments: c:\scripts\Get-RDPUser.ps1.


2.3 Click Next.

2.4 Select “Open the Properties dialog for this task when I click finish” and select ‘Finish’. It will open properties of the task created.


3. Select “Run whether user is logged on or not” and click OK.

You should now receive email notifications whenever someone RDP into your server.


  • Arkady Karasin

    Great solution! I attached to Event ID 25 as well. It is session reconnect.

    But I would like to have the computer name of workstation from which user connected. Is it possible?

    • sreejeshd

      Try this script. Its not tested well. I hope it will work.

      Instead of depending on quser output, this script will read the event details and send it as e-mail.

      # From e-mail address
      $FromAddress = “”
      # To e-mail address
      $ToAddress = “”
      # SMTP server address
      $SMTPAddress = “”

      $USERDetails = @()

      $a = “”
      $a = $a + “TABLE{border-width: 1px;border-style: solid;border-color:black;}”
      $a = $a + “Table{background-color:#ffffff;border-collapse: collapse;}”
      $a = $a + “TH{border-width:1px;padding:0px;border-style:solid;border-color:black;}”
      $a = $a + “TR{border-width:1px;padding-left:5px;border-style:solid;border-color:black;}”
      $a = $a + “TD{border-width:1px;padding-left:5px;border-style:solid;border-color:black;}”
      $a = $a + “”

      $LogOnEvents = Get-WinEvent -filterHashtable @{LogName=’Security’; Id=4624; Level=0} | Where-Object{ $_.Properties[8].Value -eq 10} | select -First 1

      $HashProps = @{
      UserName = $LogOnEvents.Properties[5].value
      ClientIP = $LogOnEvents.Properties[18].value
      LogonTime = $LogOnEvents.TimeCreated
      $USERDetails = New-Object -TypeName PSCustomObject -Property $HashProps |
      Select-Object -Property UserName,ClientIP,LogonTime
      $User = $USERDetails | Select -ExpandProperty UserName

      $messageParameters = @{
      Subject = “[vCenter RDP Event] $User LoggedIn to $Computer ”
      Body = ( $USERDetails | ConvertTo-Html -Head $a |
      Out-String -Width ([int]::MaxValue))
      From = $FromAddress
      To = $ToAddress
      SmtpServer = $SMTPAddress
      Send-MailMessage @messageParameters -BodyAsHtml

      • Chris

        Love the second script as it displays IP address which is useful. Could you please provide modified script for when that user logs off. I think it is Event ID 23 instead of 21 (or 4634 under security log) thanks, Chris

  • jack

    Hi It doesn’t seems to working can you please update it