Categories
Self-organization

How to use powershell to detect logins and alert through email

Taylor Gibb is a professional software developer with nearly a decade of experience. He served as Microsoft Regional Director in South Africa for two years and has received multiple Microsoft MVP (Most Valued Professional) awards. He currently works in R&D at Derivco International. Read more.

How to use powershell to detect logins and alert through email

The Windows Task Scheduler can automatically send email at a specific time or in response to a specific event, but its integrated email feature won’t work very well for most users.

We have already shown you how to do this using a third party tool, but who really wants to do that when you can do it with tools built right into Windows?

Enter PowerShell + Task Scheduler

The first thing we need to do is set up a scheduled task, to do so press the Win + R keyboard combination to bring up a run box then type “control schedtasks” and press enter.

How to use powershell to detect logins and alert through email

When the Task Scheduler opens click on the Create Task… link.

How to use powershell to detect logins and alert through email

On the General pane, provide a name and description for the task. You should also select the Run whether user is logged on or not option.

How to use powershell to detect logins and alert through email

Then switch over to the Triggers tab and add a new trigger. The trigger should be set to fire at log on, which can be selected from the drop down.

How to use powershell to detect logins and alert through email

Finally, you will want to switch over to the actions tab and add a new action. From there, you will want to choose to start a new program, and the program we want this trigger to start is “powershell”. You will then need to paste the following into the arguments text box.

-Command “Send-MailMessage -From “[email protected]” -To “[email protected]” -Body “Someone Just Logged In” -Subject “LOGIN” -SmtpServer “smtp.gmail.com” -Port 587 -Credential $(New-Object System.Management.Automation.PSCredential ([email protected], $(ConvertTo-SecureString “PASSWORD” -AsPlainText -Force))) –UseSsl”

Note that you will need to change all occurrences of [email protected] to the username of a real GMail account and PASSWORD to the password for that account. Alternatively, you can opt to use your own SMTP server.

How to use powershell to detect logins and alert through email

On the Conditions tab, uncheck Start the task only if the computer is on AC power option, or you won’t get emails if your computer is a laptop and it’s unplugged.

How to use powershell to detect logins and alert through email

Click the OK button and save your task. You should now receive email notifications whenever someone logs into your computer.

Table of Contents

Since its introduction in the first Windows NT Server, the Event Viewer has always been an essential tool for any System Administrator as the primary source to detect, locate and review a vast majority of issues related to Windows programs, services, frameworks, and even third-party installed software in order to improve the performances and the overall stability of any virtual or physical machine.

It’s almost sad that, despite all these years, this tool is still affected – at least in my humble opinion – by at least two major issues:

  • the constant slowness, due to the fact that all logs are basically stored in log files which are then parsed in real-time by the application itself resulting in a severe performance impact.
  • the unconfortable location, nested inside the Control Panel >Administrative Tools since it’s meant to be used by admins only.

These two issues are often the reason why the Event Viewer is still not always used by many users & admins who tend to forget about its existence, leaving errors and warnings that could easily be solved as they pile up.

This post shows a way to avoid this undesirable behavior by setting up a simple e-mail notification system of all the system event as soon as they’re made available to the Event Viewer. The system will also allow the user to choose the event log file (Application, Security, Setup & more) and/or the event type (Information, Error & more) and/or the event ID: let’s see how to achieve such result.

Windows 2008 RC2

Windows Server 2008 RC2 – and all the previous versions – gives the user the option to setup a native e-mail alert: all we need to do is to right-click the log file/event where we want to attach the notification upon and select the Attach a task to this log/event… command: then, in the Action panel, choose Send an e-mail and fill up the required fields: sender, address, SMTP server info,etc.

Windows 2012 Server

This is not the case of Windows 2012 Server and Windows 2012 R2 Server, where the Send an e-mail option is shown as deprecated. The word usually means that the functionality will be no longer supported in future version but that’s not the case in this scenario, as the system will prevent us to actively use it even now – if we try to save, it won’t let us to.

How to use powershell to detect logins and alert through email

Luckily enough, we can obtain the same behaviour by using a Powershell script: it’s also worth to mention that – as clearly stated in this Microsoft TechNet Forum post – the send-by-mail feature removal was apparently performed by Microsoft in order to enforce Powershell script-based workarounds like the one we’re about to show. The reason behind this choice ain’t clear enough – no wonder that many sysadmins complained about that: the good news is that the Powershell method, other than being very simple to adopt, allows a much wider set of options than the deprecated Send to e-mail native option. In order to implement that you need to perform two tasks: Create the Powershell script and Setup the Scheduled Task. As soon as you do that, you can also Generate a Test Event them to check that everything is properly working.

Is there a way to setup a notification from the server when a particular user logs on somewhere? I’d like to set it up for the admin account that I use (in case I wasn’t the one that logged in) and also for the admin account that we have setup for our 3rd party support company. I didn’t know if there was an event that I could look for and then set something up to email me when the event is recorded? Can this only be done through 3rd party software? These would be Windows 2008 servers. Thanks.

  • Are you smarter than most IT pros? Take the Daily Challenge »
  • There is not enough free space on partition (G:)
  • ::1 in logs of IIS
  • How does VM activation work with Server 2019 Datacenter and ESXi
  • ROM
  • CPU
  • RAM
  • GPU

7 Replies

“send email when user logs on” is how I did it.

Start > Run:
%windir%\system32\gpedit.msc
User Configuration > Windows Settings > Scripts (Logon/Logoff) > Logon

. you can define a script there to do whatever you want. Or you could also use a network logon script, but that will only run if they are logging into a domain that is available.

. the method described on the site required me to run a public IIS server – this way the script has the best chance to send an email regardless of when the user was on our network, vs. at home vs. at a public hotspot (this doesn’t always work due to network restricts or captive portals, but it often does).

Some adaptation of it may work for you. Obviously if your only interested in server logins, and not end-users with laptops, then this might be overkill.

Brand Representative for IS Decisions

Full monitoring, alerting, auditing – as well as control and restriction of user logins across a Windows Server based network with UserLock.

More details on monitoring here

Free 30Day Trial Download – fully functional.

How to use powershell to detect logins and alert through email

How to use powershell to detect logins and alert through email

I should have mentioned that I’d like this to notify me if the admin accounts logon to any network server or PC. Would I set this up on the domain controller? I already have the account logon auditing setup like the video showed.

I should have mentioned that I’d like this to notify me if the admin accounts logon to any network server or PC. Would I set this up on the domain controller? I already have the account logon auditing setup like the video showed.

If you use the method described in the HowTo Geek article, you could add a scheduled task to whatever systems you want to monitor all from your scheduled task console, just by connecting to those remote machines. WMI and WinRM need to be enabled if they aren’t already but it’s not hard to do for free. Alternatively you have IS Decisions UserLock and Netwrix Auditor for these situations too.

“send email when user logs on” is how I did it.

Start > Run:
%windir%\system32\gpedit.msc
User Configuration > Windows Settings > Scripts (Logon/Logoff) > Logon

. you can define a script there to do whatever you want. Or you could also use a network logon script, but that will only run if they are logging into a domain that is available.

. the method described on the site required me to run a public IIS server – this way the script has the best chance to send an email regardless of when the user was on our network, vs. at home vs. at a public hotspot (this doesn’t always work due to network restricts or captive portals, but it often does).

Some adaptation of it may work for you. Obviously if your only interested in server logins, and not end-users with laptops, then this might be overkill.

Does this cover the entire network (PCs, servers, laptops)? Did you do the gpedit on the domain controller?

4sysops – The online community for SysAdmins and DevOps

  • Author
  • Recent Posts

How to use powershell to detect logins and alert through email

How to use powershell to detect logins and alert through email

  • Clean up user profiles with PowerShell – Mon, Jun 9 2014
  • Track user logons with a PowerShell script – Fri, Jun 6 2014
  • Configuring logon PowerShell scripts with Group Policy – Tue, Jun 3 2014
  • The script
  • Setting it up
  • Results
  • Summary

A question I hear often is how to track what computer a user has logged on to. Usually the implication is that the Windows administrator wants a central source that she can easily check. Well what is more central than Active Directory? Since the user can already write to a number of properties on their own user object, why not capture logon (and logoff data as long as we’re at it) and store it with the user?

The script ^

I wrote a short script that uses ADSI to accomplish this task. I chose this route to avoid requiring that the user’s desktop have any other modules or requirements. Here is my Set-UserStatus.ps1 script.

The script needs a single parameter to indicate Logon or Logoff. The default is Unknown. Because this will be running as Group Policy script, I didn’t want to worry about errors or prompts if the administrator set it up wrong. They would find that out as soon as they tested it, checked the user account and saw “Unknown” for the status.

The script uses ADSI to find the user’s account in Active Directory. It then writes a string with the date and time, the status (ie Logon or Logoff) and the computername. The string is written to the Info property, which is what you see as the Notes property on the Telephones tab.

How to use powershell to detect logins and alert through email

Telephones tab

In my test domain, user accounts have permission to write to this property. You might want to pick a different property, perhaps one that doesn’t even show in the GUI. You’ll need to take steps to ensure users have permissions to write to that property on their own object.

Setting it up ^

To use, I followed the steps in my previous article to copy the script to a GPO and then added it. Because my script takes a parameter, I need to add it as I shown below.

Add PowerShell script to Logon scripts

If your script uses parameters, I think the best approach is to make them all positional in your script. The screenshots above depicts configuring the script for user logon. After finishing, I then double-clicked Logoff in the same GPO. I clicked Add and then Browse.

Now, I could have copied the script again to the Logoff GPO container, but since the script is the same, in the Explorer window I can click on Scripts in the path to navigate “up”

How to use powershell to detect logins and alert through email

Scripts folder

Then double-click the Logon folder.

Navigate to Logon scripts

I can now pick the same script I used for logon.

Add to Logoff scripts

Of course, I need to make sure I set the parameter to Logoff.

Set the parameter to Logoff

When finished, I can configure any security filtering, link to the necessary organizational units, or the domain and I’m ready to go.

Results ^

When the user logs on or off, their user account will be updated as I showed in the first screenshot. Depending on your configuration and network, the status update might take a minute or two to show up in Active Directory. My script won’t give you an exact, to the second, time they logged on or off but a pretty close approximation. You might also need to take into account the effect this script might have on replication, so please test thoroughly in a non-production environment.

Of course, with PowerShell this is also easy to discover, and if you use a property that isn’t exposed in Active Directory Users and Computers, you will have no choice but to use PowerShell to find the status information.

Windows Event logs is one of the first tools an admin uses to analyze problems and to see where does an issue come from. But it is not the only way you can use logged events. In this article, I will show you how to use PowerShell and Get-EventLog to perform some Event Log magic. But first, a few words about the logs in general.

How to use powershell to detect logins and alert through email

Event logging in Windows

First, there are two ways to access the events logged in Windows – through the Event Viewer and using the Get-EventLog / Get-WinEvent cmdlets. The Event Viewer is an intuitive tool which lets you find all the required info, provided you know what to look for. Searching the logs using the PowerShell has a certain advantage, though – you can check events on the local or remote computers much quicker using the console. It is an invaluable asset if you think about server health monitoring. PowerShell lets you generate automatic reports about the most important events to read while drinking your morning coffee.

Get-WinEvent vs Get-EventLog

You might wonder what is the difference between Get-WinEvent and Get-EventLog. Get-WinEvent is a newer version of Get-EventLog. The cmdlets work in a similar manner, and Get-EventLog does the trick in most cases. According to a Microsoft documentation, the main difference is that Get-WinEvent works with “the Windows Event Log technology introduced in Windows Vista.” To get a clearer explanation, you can use two simple cmdlets:

Get-WinEvent -ListLog * | where

As you can see, Get-WinEvent is a clear winner when it comes to the amount of data it can access.

Mind that some attributes’ names are different in those two cmdlets, so you might need to do some translating if you want to use the syntax of Get-WinEvent with the Get-EventLog cmdlet. If you want to know how to filter the results, simply pipe the cmdlet to Get-Member:

Get-EventLog application -newest 1 | Get-Member

Although Get-EventLog is a “legacy cmdlet,” it still works like a charm in most diagnostic cases. It also has one clear advantage: you can use the -After and –Before attributes to filter results by date. Thanks to that, date-related queries are much quicker than piping all results and trying to sift through them.

Before you start searching through the logs for specific events, it is a good idea to get to know the structure and get the general idea of how the logging mechanism works. The Event Viewer is the right tool to get you started on that.

The Event Viewer

The amount of logging information can be overwhelming. It means that data filtering is your priority. In order to get acquainted with the structure, you can either use the Event Viewer.

The quickest way to start the Event viewer is to use the Win+R key combination and executing eventvwr:

How to use powershell to detect logins and alert through email

This action will open the Event Viewer:

How to use powershell to detect logins and alert through email

The tree on the left lets you browse through all Event Viewer’s entries. The most used logs are Application, System, and Security.

Use PowerShell to diagnose problems on multiple computers

The biggest challenge of setting up the Get-EventLog or Get-WinEvent cmdlets is to filter results. First, you have to know what to look for, next – you have to make sure that your query does not cause the PowerShell console to throw a fit. One way to run diagnostics is to use the script below:

$servers = Get-TransportService;
foreach ($server in $servers)
Get-EventLog system -ComputerName $server -After (Get-Date).AddHours(-12) | where <($_.EntryType -Match "Error") -or ($_.EntryType -Match "Warning")>| ft -wrap >> “C:/$server.csv”;
Get-EventLog application -ComputerName $server -After (Get-Date).AddHours(-12) | where <($_.EntryType -Match "Error") -or ($_.EntryType -Match "Warning")>| ft -wrap >> “C:/$server.csv”>

The script pulls information about all Error and Warning kinds of events generated in the last 12 hours in System and Application logs for a list of servers. You can replace the Get-TransportService cmdlet with another list of machines you want to diagnose.

Checking login and logoff time with PowerShell

There are quite a few ways to check when a certain machine was turned on. If you simply need to check when was the first time a user logged in on a specific date, use the following cmdlet:

Get-EventLog system -after (get-date).AddDays(-1) | where

To learn when the computer was turned on a specific date, you can select the first logged event:

$today = get-date -Hour 0 -Minute 0;
Get-EventLog system -after $today | sort -Descending | select -First 1

Those cmdlets; however, will not work if you want to monitor the usage of a shared computer.

You could scan through the security events, looking for 4624 (logon) and 4625 (logoff) event IDs. However, the security log usually holds the greatest number of records and going through it can be extremely time-consuming. Fortunately, the system log also stores logon and logoff data and specifying the exact source of the log entry allows a relatively quick search. The script below returns a list of logon and logoff events on the target computer with their exact times and users for the last seven days.

If you need more detailed results, you could add the Security log events IDs 4800 and 4801 for lock and unlock events. Mind that this will require you to run another Get-EventLog script to get info from the Security log. It will also significantly increase the time your PowerShell console will need to finish the task.

Before you read through this post, I heavily encourage you to read my previous post on Tracking down account lockout sources because I’m going to be referring back to a lot of what I did previously, but tweaking it for finding bad password attempts. You definitely don’t have to refer back if you are familiar with parsing event logs with PowerShell, but I’ll point out the times where I go more into depth in the previous post.

If you are dealing with password lockouts, it can also be useful to see where the bad password attempts are coming from and what types of logons they are. The good news is that the event logs contain all that information! We just need to write ourselves a handy function to access that information.

Background

Like before, lets cover the metadata for the event first.

The Event

In an Active Directory environment whenever an authentication failure occurs, EventID 4625 is generated and the event is forwarded to the PDC Emulator. This event contains a plethura of useful information that we’ll be taking a look at.

The Command

Same as before, we’ll be using the Get-WinEvent cmdlet. You can refer back to the previous post for a basic example, or read on to see how we’ll use it to find the bad password attempts.

Building a tool

Get-WinEvent refresher

So, like before, we’re going to use the -FilterHashtable parameter to filter to the left (I time this vs Where-Object in the last post) and look for the bad password events in the security logs:

And again, since we are in AD we’ll need to find the PDC Emulator:

The Event Object

When looking at one of the returned events from that command, we get quite a lot of useful information:

Now lets break out some unintelligible regex!! Ha, just kidding. Instead, we can look at the Properties property and see a list of all the property values:

Now we’re going to grab values based on the index in that array, but as Mathias Jessen pointed out to me, you can access them via XPath, but that is a little out of scope for this post.

As an example of what I mean, if we want to get the logon type, target account, and the network info we can create a custom PS Object:

Logon types

Something to note is that the logon type is just a number. What is a logon type of 7 anyway? Microsoft has a nice table for that information, here’s the PowerShell version of it:

So in this case, that example event was an attempt to unlock DC01 locally. I can blame myself for that one!

Bringing it together in a function

My favorite part about writing tools is making them easily reusable as functions:

You’ll notice that I added a parameter set to this one so that you can specify a specific user, if you want to. It does depend on the Where-Object cmdlet, so it wouldn’t be any faster that filtering on your own, just more convenient.

I also moved the selection of the PDC Emulator to the param block so that you could specify a specific DC if you wanted to. This function doesn’t verify that the computer is a DC, so it will just search the event logs of any server you point it at.

Much like the Get-ADUserLockouts from the previous post, I also collect all events in the Begin<> block in case multiple users are passed through the pipeline so that it doesn’t have to reach out to get all events for each passed user.

Usage

To get some really simple data, I’d try running the plain command and piping it to Format-Table :

Since we added pipeline functionality, we can use that to look at a notoriously fat-fingered department:

Or we could simply check our own account:

Conclusion

I hope you find this useful and it saves you some time! Its a tool that I’ve used many times for tracking down bad password attempts and whatnot.

I’ve also uploaded this to my Utilities repo so be sure to check it out there as well as the other tools I’ve got up there.

If you’ve got any feedback, let me know with a comment, tweet, email, or whatever. I’m happy to assist if you have trouble using any of the tools I write.

Updated: May 09, 2019

Share on

Leave a Comment

You May Also Enjoy

While vs Do-While in PowerShell

One of the basics of PowerShell that is often overlooked (I say that because I often overlook it) is the difference between the While loop and the Do-While l.

My first PowerShell Summit: Worth every penny

This year marks the 4th year that I intended to attend the PowerShell summit. I say ‘intended’ because last year the pandemic cancelled the summit, which mad.

Using PowerShell core to find stale users in Office 365 / Azure AD using the Graph API module

One of the big projects I’ve been working on this year is to translate my AD PowerShell skills to Azure AD. The really cool part of this process is the adven.

Using the Microsoft.Graph PowerShell module to assign Office 365 licenses (PowerShell Core)

I’ve been working on automating the onboarding process at my new job using PowerShell, but specifically attempting to do as much of it as possible in PowerSh.

  • Tips
  • Blog
  • Hvordan
  • Vinduer
  • Telefon

How to use powershell to detect logins and alert through email

How to use powershell to detect logins and alert through email

How to use powershell to detect logins and alert through email

  • Vigtigste 
  • Blog 
  • Sådan bruger du PowerShell til at registrere Logins og Alert via e-mail

How to use powershell to detect logins and alert through email

Windows Task Scheduler kan automatisk sende e-mail på et bestemt tidspunkt eller som svar på en bestemt begivenhed, men den integrerede e-mail-funktion virker ikke særlig godt for de fleste brugere.

Vi har allerede vist dig, hvordan du gør dette ved hjælp af et tredjepartsværktøj, men hvem vil virkelig gøre det, når du kan gøre det med værktøjer bygget direkte ind i Windows?

Indtast PowerShell + Task Scheduler

Det første, vi skal gøre, er at oprette en planlagt opgave. Tryk på Win + R tastaturkombinationen for at hente en kørselsboks og skriv “control schedtasks” og tryk på enter.

How to use powershell to detect logins and alert through email

Når Opgaveplanlæggeren åbnes, klik på linket Opret opgave .

How to use powershell to detect logins and alert through email

Angiv et navn og en beskrivelse af opgaven i ruden Generelt. Du skal også vælge Kør om brugeren er logget på eller ej mulighed.

How to use powershell to detect logins and alert through email

Skift derefter til fanen Triggers og tilføj en ny trigger. Udløseren skal indstilles til brand ved log på, som kan vælges fra drop down.

How to use powershell to detect logins and alert through email

Endelig vil du gerne skifte til handlingens faneblad og tilføje en ny handling. Derefter vil du vælge at starte et nyt program, og det program, vi vil have denne trigger til at starte, er “powershell”. Du skal derefter indsætte følgende i tekstboksen Argumenter.

-Command “Send-MailMessage -From “ [email protected] ” -To “ [email protected] ” -Body “Someone Just Logged In” -Subject “LOGIN” -SmtpServer “smtp.gmail.com” -Port 587 -Credential $(New-Object System.Management.Automation.PSCredential ( [email protected] , $(ConvertTo-SecureString “PASSWORD” -AsPlainText -Force))) –UseSsl”

Bemærk at du bliver nødt til at ændre alle forekomster af [email protected] til brugernavnet til en ægte Gmail-konto og ADGANGSKODE til adgangskoden for den pågældende konto. Alternativt kan du vælge at bruge din egen SMTP-server.

How to use powershell to detect logins and alert through email

Fjern markeringen i fanebladet Betingelser Start kun opgaven, hvis computeren er tændt mulighed, eller du vil ikke få e-mails, hvis din computer er en bærbar computer, og den er frakoblet.

How to use powershell to detect logins and alert through email

Klik på OK-knappen og gem din opgave. Du skal nu modtage e-mail-underretninger, når nogen logger ind på din computer.

I want to get an email any time a user logs in to my server, including details about their activities such as who logged in, whether any files have been modified or not. I know i will need to use powershell but i am new to this so if i can get the steps and commands it will be really helpful.

  • Think you’ve mastered IT? Try the Challenge »
  • Unable to lock students out of their computers at midnight
  • There is not enough free space on partition (G:)
  • ::1 in logs of IIS

The help desk software for IT. Free.

Track users’ IT needs, easily, and with only the features you need.

7 Replies

What server is that ?

What is the function of the server ?

How many users do you have ??

Brand Representative for Lepide

Have a look at LepideAuditor for Active Directory to get user logon / logoff and failed logon details with detailed report. It alerts instantly by sending customized email notification for all critical changes.

If you enable account auditing Logon/Logoff, you can attach a send email task to a logon event id 4624 – Audit Successful Logon/Logoff and Failed Logons

Brand Representative for Netwrix

I agree with Adrian – you haven’t specified necessary details to give you exact answer, but in general you have several options to streamline your auditing:

  • Powershell triggered by specific Event:

1. In Windows Event Viewer, right click the Event you want and select “Attach Task To This Event. “
2. Click through the first screens of the Create a Basic Task Wizard, in the Action section select “Start a Program”
3. Put Powershell.exe as the program and the full path to the script in the arguments list.

After brief search I’ve found these two how-tos here on Spiceworks which might help you:

or Check this one:

How to Make Automatic User Account Reports with PowerShell – it contains example on how to setup triggered email for EventID 4720

  • Use Netwrix Event Log Manager free tool. It will save you a lot of time and nerves.
  • In case you need something solid and reputable – try Netwrix Auditor – after 20 days of free trial you can choose to switch to Free Community Edition, which is quite powerful tool to have, even though it’s restricted in comparison to the full commercial version.

How to Send Email Securely with PowerShell

How to use powershell to detect logins and alert through email

Adam Listek

Read more posts by this author.

Need to notify your team on a failed service, only to find that your PowerShell email has bounced? Unauthenticated email has become difficult to pass in many mail systems. You don’t want to miss an important email notification because you relied on outdated PowerShell cmdlets. The built-in cmdlet Send-MailMessage no longer covers sending email securely.

So as useful as this cmdlet is, why is it no longer considered secure? Underneath, this PowerShell cmdlet uses the SmtpClient .NET class. Unfortunately, this class does not support many of the modern encryption protocols and therefore, cannot guarantee a secure connection. The crux of the matter is that SmtpClient is not going to be further developed to add features, such as for Opportunistic TLS, the official recommendation has been to no longer use this product.

What may be slightly confusing is that the classes and methods are still present even in the latest .NET Core releases. Though you may still use these methods,, the official recommendation is to move to alternative email sending methods. There are generally two methods now of sending Powershell email.

  • .NET Library
  • REST API

With those two methods in mind, let’s jump into some alternatives!

Table of Contents

.NET MailKit

The most generic method that would replace SmtpClient and Send-MailMessage would be the recommended replacement, which is MailKit. This is a third-party, open-source library but maintained by a Microsoft employee and officially recommended for use in the documentation. This is similar to how Newtonsoft.JSON became a core part of the .NET platform despite being an open-source product.

Installing MailKit & MimeKit

Since MailKit and it’s core dependency of MimeKit are not native libraries available to .NET, we will need to install them first.

Make sure to run Install-Package as an administrator or else the packages may not install properly.

Using the Install-Package cmdlet, install MailKit from the [nuget.org]( ) repository. If the installation works properly, you will see a number of dependencies installed alongside MailKit, including MimeKit.

Sending an PowerShell Email via MailKit

The example below shows how we can send an email using the Gmail SMTP server but using MailKit. In this example, PowerShell 7.0.1 is the underlying version and we are using the latest .NET Standard 2.0 version of the DLL. Other DLL versions are available in the parent directory, if needed.

As you can see, we need to load both the MailKit DLL and the MimeKit DLL. If you only load MailKit, an error may not occur, but this will not work. The next steps are pretty similar to how the original SmtpClient works in setting up the various configurations.

The reason that the password for the authentication step says appspecificpassword is that if you are properly using two-factor authentication, you will need to generate an app-specific password for your applications.

Emulating Send-MailMessage with MailKit

Although this does not have a direct correlation with Send-MailMessage , what if we wanted to create a quick and easy function that wrapped the MailKit functionality into an alternative to the built-in cmdlet? In this example, we can create a Send-MailkitMessage function to do a similar series of steps. Keep in mind that this does not replicate all of the functions and is vastly simplified.

Sending the actual message is as simple as calling the function that we just created and passing in the correct parameters.

Direct Send

To follow-up the use of MailKit, and how it can be used in a more practical sense in a modern environment that uses Office 365, we can take advantage of the Direct Send functionality available to users of Office 365. The original method using, Send-MailMessage can be read in this article as well. There are a couple of caveats to this specific method of sending though.

  • No external recipients are allowed
  • Uses Port 25 instead of 587
  • Sender does not need a valid mailbox, but should if NDRs or replies are needed

Similar to how we used MailKit to send to Gmail, we are going to make one change to the existing code. With the Connect method, we are adding the [MailKit.Security.SecureSocketOptions]::StartTls option to make sure that TLS is used.

Amazon SES

Another example of using MailKit to send emails is using Amazon SES (Simple Email Service). To learn more about the overall setup and configuration, read this article, but after that has been done you can see how simple it is to send an email via MailKit. By utilizing the correct endpoint and TLS, we can simply send emails via MailKit.

The .NET MailKit library is incredibly useful, but many modern services now allow you to send mail through a REST API as seen in the following examples.

Microsoft Graph Email

The Microsoft Graph REST API is quickly becoming indispensable for Azure AD and Office 365 administrators. With that in mind, utilizing the sendMail REST API method, we can quickly send a message using the Invoke-RestMethod API.

You will need the Mail.Send permission to send the email.

There are a few prerequisites to authenticating to the Microsoft Graph API, which you can read about here. Once you have your authentication token and the correct permissions assigned, see below as to how you can send in Powershell email.

MailGun

Finally, let’s explore using another popular email service, MailGun. Using a simple API call, we can send an email through here as well. After retrieving the Private API Key from the MailGun Account Settings → API Keys section, you can use that to send to the domain you have configured.

Conclusion

Creating Send-MailKitMessage to remove the underlying .NET technology SmtpClient from being used, allows for more secure PowerShell email sending. There are many easy to use and more powerful alternatives that can be made to work just as easily as the built-in functions. Depending on your needs and what your script or application may need to do, simply substitute for one of the many methods demonstrated above!

More from Adam The Automator & Friends

    How to use powershell to detect logins and alert through email

Scan your Active Directory for 750M+ known leaked passwords with a free read-only Specops Password Audit.

How to use powershell to detect logins and alert through email

We’ve put together a list of the resources we, at ATA, can wholeheartedly recommend.

How to use powershell to detect logins and alert through email

Why not write on a platform with an existing audience and share your knowledge with the world?

The automation of routine admin tasks isn’t the end of the story. You have to be aware of whether they have succeeded, and how long they’ve taken. When you have a lot of tasks, you have to consider how you can oversee logs and results from a single console that provides both detail and overview, and warns of problems. Nicolas explains how.

The series so far:

  1. Automating Day-to-Day PowerShell Admin Tasks – Part 1: Jobs and Workflow
  2. PowerShell Day-to-Day Admin Tasks – Part 2: WMI, CIM and PSWA
  3. PowerShell Day-to-Day Admin Tasks – Part 3: Monitoring Performance
  4. PowerShell Day-to-Day Admin Tasks – Part 4: Securing Scripts
  5. PowerShell Day-to-Day Admin Tasks – Part 5: Events and Monitoring
  6. PowerShell Day-to-Day Admin Tasks – Part 6: Real Time IT Dashboard

Certainly, it makes sense to automate as many of the routine SysAdmin tasks as you can, but is it possible to get a bit carried away and forget to include the essential feedback that allows us to supervise the work? However much you automate, the administrator needs to keep in control of the processes. Without this feedback information how, for example, do we check all those automated processes to see if a task has failed? How do we analyse the behaviour and performance of our tasks? It is important for us to be able to monitor tasks and respond to events in order to retain firm control of our systems.

To have a hope of doing this, we need to be able to:

  • Read the information in the Microsoft Windows events logs
  • Create our own events within PowerShell scripts
  • Improve the display of events so as to be easily warned of potential problems
  • Trigger actions as soon as a system activity is generated

It makes sense for our processes to use Windows events to alert us to problems and keep track of what tasks are completed on the system, just as the Windows services do. The PowerShell console isn’t sufficient. We must be able to receive alerts or notifications that indicate the result of a task or a PowerShell script.

Reading Information in the Windows Events Logs

There quickly comes a point where our workload is such that it is no longer possible to scan all the logs regularly for untoward events. PowerShell can then assist us to search for events that could spell problems

To do this, there are two PowerShell commands that we can use to interact with Windows logs:

Get-EventLog

I shall not go into details about Get-EventLog because it has become obsolete and is clearly less effective than Get-WinEvent . It was introduced in PowerShell version 1 but has to be mentioned because itremains important if you still work on systems such as Windows 2003 Server. Please note, however, that the new logs (such as “Desired State Configuration” (DCS)) are accessible solely via the Get-WinEvent command.

Get-WinEvent

This allows quicker access to logs. The recovery of events from a remote machine is also quicker. This is easily explained: If you use a filter in your command, then the events will be filtered before rendering results through the network. At last, Get-WinEvent uses the built-in Windows event log remote technology instead of using PowerShell remoting.

If you still have to use the Get-EventLog command over a slow network link, then I’d advise you to avoid any risk of flooding the network by doing the following:

  1. Execute the command on the remote machine
  2. Save the result in a file on that remote machine
  3. Recover this file at a more opportune time

Let’s start by asking the machine to list all the present logs. We will use the listlog parameter followed by * so as to display them all.