Well, a couple of solutions exist here:
1. You can set a generic notification at logon time Start->Programs->Administrative Tools->Local Security Policy->Local Policies->Security Options-> Message Text/Title for Users Attempting to Logon You could say something menacing like "I know what you're doing, so don't even try it..." :-) 2. Enable auditing for the success & failure of logon events. Start->Programs->Administrative Tools->Local Security Policy->Local Policies->Audit Policy->Audit Logon/Account Logon Events This will enable the generation of event entries in the security event log, events like: - 530 (Failure Audit) Account logon time restriction violation - 529 (Failure Audit) Unknown user name or bad password - 537 (Failure Audit) An error occurred during logon 3. You can easily retrieve these events either by manual perusal of the event logs (a tedious job), or with freeware tools like Mark Russinovich's PSLogList http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml, or with a bit of VBS: strComputer = "." Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") objWMIService.Security_.Privileges.AddAsString "SeSecurityPrivilege" Set colLoggedEvents = objWMIService.ExecQuery ("SELECT * FROM Win32_NTLogEvent WHERE Logfile='Security' AND EventCode='530'") For Each objEvent in colLoggedEvents Wscript.Echo " Category: " & objEvent.Category Wscript.Echo "Computer Name: " & objEvent.ComputerName Wscript.Echo " Event Code: " & objEvent.EventCode Wscript.Echo " Message: " & objEvent.Message Wscript.Echo "Record Number: " & objEvent.RecordNumber Wscript.Echo " Source Name: " & objEvent.SourceName Wscript.Echo " Time Written: " & objEvent.TimeWritten Wscript.Echo " Event Type: " & objEvent.Type Wscript.Echo " User: " & objEvent.User Next If you're *really* paranoid, you can register a temporary event consumer using WMI to keep a sleeper thread active to the Security event log, and have it e-mail (or page) you in the event it encounters restricted logon activity. If you'd like to initiate a less passive course of action, you can actually have the system shut itself down each time it encounters this (again, using WMI). There's plenty o' data on registering consumers on MSDN, or you can simply activate a script like the one below through a batch file at system startup. # developed on Windows XP #! c:\perl\bin\perl.exe -w use strict; use Win32; use Win32::OLE qw(in); use Win32::OLE::Const 'Microsoft CDO 1.21 Library'; $Win32::OLE::Warn = 3; my $smtpsrvr = "mailserver.company.com"; my $fromaddr = "[EMAIL PROTECTED]"; my $recpaddr = "[EMAIL PROTECTED]"; my $computer = Win32::NodeName; my $query = "SELECT * FROM __instancecreationevent "; $query .= "WHERE targetinstance ISA 'Win32_NTLogEvent' "; $query .= "AND targetinstance.Logfile='Security' "; $query .= "AND targetinstance.EventCode='552'"; my $events = Win32::OLE->GetObject("WinMgmts:{impersonationLevel=impersonate,(security)}" )-> ExecNotificationQuery($query) || die Win32::OLE->LastError; print "Polling for new Security Events...\n"; while (my $event = $events->NextEvent) { print "-" x 75; print "\n"; my $evtid = $event->TargetInstance->{EventCode}; print " EventCode: ".$evtid."\n"; print " Category: ".$event->TargetInstance->{Category}."\n"; print " CategoryString: ".$event->TargetInstance->{CategoryString}."\n"; print " ComputerName: ".$event->TargetInstance->{ComputerName}."\n"; #print " Data: ".$event->TargetInstance->{Data}."\n"; print " EventIdentifier: ".$event->TargetInstance->{EventIdentifier}."\n"; print "InsertionStrings: ".$event->TargetInstance->{InsertionStrings}."\n"; print " Logfile: ".$event->TargetInstance->{Logfile}."\n"; print " RecordNumber: ".$event->TargetInstance->{RecordNumber}."\n"; print " SourceName: ".$event->TargetInstance->{SourceName}."\n"; print " TimeGenerated: ".$event->TargetInstance->{TimeGenerated}."\n"; print " TimeWritten: ".$event->TargetInstance->{TimeWritten}."\n"; print " Type: ".$event->TargetInstance->{Type}."\n"; print " User: ".$event->TargetInstance->{User}."\n"; #print " Message: ".$event->TargetInstance->{Message}."\n"; print "-" x 75; print "\n"; # Send off an e-mail about the captured event... my $time = scalar(localtime()); &e_mail ($smtpsrvr, $fromaddr, $recpaddr, "Event $evtid was generated on $computer on $time", $event->TargetInstance->{Message}); print "Polling for new Security Events...\n"; } #--------------------------------------------------------------------------- -------- sub e_mail { #--------------------------------------------------------------------------- -------- my ($strsrvr, $strfrom, $strrecp, $strsubj, $strbody) = @_; my $cdoSendUsingMethod = 'http://schemas.microsoft.com/cdo/configuration/sendusing'; my $cdoSMTPServer = 'http://schemas.microsoft.com/cdo/configuration/smtpserver'; my $cdoSMTPServerPort = 'http://schemas.microsoft.com/cdo/configuration/smtpserverport'; my $cdoSendUserName = 'http://schemas.microsoft.com/cdo/configuration/sendusername'; my $cdoSendPassword = 'http://schemas.microsoft.com/cdo/configuration/sendpassword'; my $cdoSendReplyAddr = 'http://schemas.microsoft.com/cdo/configuration/senduserreplyemailaddress'; my $cdoSendUsingPort = '2'; my $objCDOMsg = Win32::OLE->new('CDO.Message'); $objCDOMsg->{'From'} = $strfrom; $objCDOMsg->{'To'} = $strrecp; $objCDOMsg->{'Subject'} = $strsubj; $objCDOMsg->{'Textbody'} = $strbody; $objCDOMsg->Configuration->Fields->Item($cdoSendUsingMethod)->{Value} = $cdoSendUsingPort; $objCDOMsg->Configuration->Fields->Item($cdoSMTPServer)->{Value} = $strsrvr; $objCDOMsg->Configuration->Fields->Item($cdoSMTPServerPort)->{Value} = '25'; $objCDOMsg->Configuration->Fields->Update; $objCDOMsg->Send; undef($objCDOMsg); return; } Hope this helps, Richard > -----Original Message----- > From: Mr Clark [mailto:[EMAIL PROTECTED] > Sent: Monday, July 07, 2003 10:52 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD, Logon times & Custom messages > > Well, I just wanted to customize the message for my kids when > they try to *sneak* on the computer during the middle of the night. :) > > As another thought, is there a way to "log" when someone > tries to sign on at a restricted time? > > Charlie > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Monday, July 07, 2003 09:43 > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD, Logon times & Custom messages > > Best guess is that you cannot modify the message. > > As is pretty much standard for that type of message in > Microsoft products, its coded into a DLL, and the only > supportable way to do that would be to engage Microsoft > Consulting Services to modify the DLL. > > However, since I believe that's part of the LSASS process on > the client, and that gets patched somewhat regularly by > service packs, etc, you'd have to reenage them for every new > service pack. IMO, its not worth it. > > What are you trying to accomplish? > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Mr Clark [mailto:[EMAIL PROTECTED] > > Sent: Monday, July 07, 2003 9:36 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] AD, Logon times & Custom messages > > > > > > Greetings all. > > I'm new to the list and very new to AD. > > > > I have successfully set up my server for our LAN. DNS functions > > correctly (so far, no error messages), etc. > > > > The question I would like to start off with first is this: > > > > Under Active Directory, you can specify Logon times for a user. > > > > What I would like to know is this: > > Can you customize the message that comes up when a user > tries to logon > > during the prohibited time? > > > > I haven't seen this listed in the MSKB, and I didn't turn > up anything > > via google. > > > > > > TIA > > > > Charlie > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
