Report user creation by mail, with a trigger

We all know that Administrators are trustworthy people, and that they all love to fill pages after pages of report about the whole new user they’ve created.

So what happen when you want reporting on their work event if they don’t want to?

First thing is to forward Domain Controllers event to a trusted computer you manage, and for achieve this you can follow this article to achieve this: http://technet.microsoft.com/en-us/library/cc749140.aspx

But this is only good for you if you have time to read those events..

So here is a solution for you : Get alerted, by mail, about specific collected events.
This article assume that event auditing is activated/configured  on your DC, and take from example that you want to know “When and by who a user account is created?”.

First step: Identify the events you need to get report about.

Or you know the event by heart, or you read the official list here (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3a15b562-4650-4298-9745-d9b261f35814), or you just generate the message you want by creating a new user🙂

Then look at your event viewer and search for it.

Here its Category: User Account Management, ID: 4720

Right-click: Attach Task to this event

This open a new Basic Task creation wizard.

Now it’s time to name this task

Next. Then “When an event is logged » (greyed out, but default parameters are just fine)

Action : Display a message

Next > Summary > Finish

Second step: Task fine tunning

Ok, now we have a nice whole new task generating a superb pop-up message

But we have no clue about the “when and who”.
So we have to get the event data inside our task and generate a custom message from here.

Open the event you used at the “Attach a Task To This Event” in the event viewer, and look upon the Details pane.

Note the field name you want to use in your task , here I will use the following fields:

System – Computer
EventData – TargetUserName
EventData – SubjectUserName
EventData – UserPrincipalName

Next step, export the new task from the task scheduler to a XML file (right-click > Export).

Then open the XML task file (here I used Notepad++) and insert the following XML
entry in the EventTrigger section :

ValueQueries section and its Value data as shown in the picture bellow :

Note that data from SYSTEM is imported using

<Value name= »your_variable_here »>Event/System/_source_</Value>

But from EventData it’s a little different format so you have to use:

<Value name= »your_variable_here »>Event/EventData/Data[@Name=’_source_‘]</Value>

Save, and import the taks in the task scheduler (note: you need to delete the
previous task if you want to update it)

Now that our event fields are updated in the task variable, we can use them in our
pop-up message.

Edit the task, and go to the Action pane

Modify the « Display a message » action

As you can see, it’s pretty straightforward : $(your_variable_here) will use the
variable filled from the event data as a string.

Just generate a new user and you will have a pop-up like this one :

Now just add a new Action to your task to send an email.

You will have an email each time a new user is generated by your admins, with the admin account and the new user name.
Isn’t this Task Scheduler great?

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s