AD Login Alerting

Building on AD Login Logging — which captures login data to a CSV — this post adds alerting: sending an email or SMS whenever specific users (admin accounts, for example) log in.

Collecting Login Data

The logon script gathers the same five values as before:

set "val1=%DATE%"
set "val2=%TIME%"
set "val3=%USERNAME%"
set "val4=%COMPUTERNAME%"

for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do set ip=%%b
set ip=%ip:~1%

Sending the Alert

Rather than writing to a CSV, the alert version passes this data to Mail Alert Simple Mailer — a lightweight command-line mailer that stores the SMTP password encrypted in its config file, so credentials aren't in plain text in the script.

set "str=Admin login: %val1% %val2% | User: %val3% | PC: %val4% | IP: %ip%"

MailAlert.exe -s "Admin Login Detected" -b "%str%"

The subject line makes it easy to set up a filter in your email client that flags these immediately.

SMS Alternative

You can replace the email step with smscmd for SMS alerts. The downside is that SMS requires prepaid credits, so email is preferable for anything logging at volume. SMS makes sense for high-priority alerts only.

Deployment

This script goes in the NETLOGON share and is called from the domain logon script — but only for specific users or groups. Target it at admin accounts or any user group you want to monitor:

:: In the main logon script
if "%USERNAME%"=="adminuser1" call "\\domain\NETLOGON\alert_login.bat"

Or use a group policy loopback to apply the alerting script only to members of a specific AD group.

Security Recommendation

Lock down the email account used for sending alerts so it can only send to specified recipients. This prevents the account being misused if credentials are ever exposed.