Back to Resources
Level
Script
Security
Unauthorized or unexpected administrator logins can be a major security risk, potentially indicating compromised credentials or suspicious activity. Monitoring these logins in real-time allows IT professionals and MSPs to detect potential security breaches, ensure compliance with security policies, and proactively address unauthorized access attempts before they escalate.
This script scans Windows Event Logs for successful administrator logins (Event ID 4624) within the past hour, specifically filtering for interactive (local console) and remote desktop (RDP) logins. It excludes known system accounts to reduce false positives and outputs a list of detected logins. When paired with a script-based monitor in Level, this script can trigger real-time alerts whenever an admin login occurs, helping IT teams maintain strict oversight of privileged account usage.
Script
1<#
2This resource is provided as a convenience for Level users. We cannot
3guarantee it will work in all environments. Please test before deploying
4to your production environment. We welcome contributions to our community
5library
6
7# Level Library
8# https://level.io/library/script-windows-admin-login-alert
9#>
10
11# Define known system accounts to ignore
12$SystemAccounts = @("DWM-1", "DWM-2", "DWM-3", "UMFD-0", "UMFD-1", "UMFD-2", "UMFD-3", "SYSTEM")
13
14# Get recent successful logins (Event ID 4624) and filter for interactive/RDP logins
15$Logins = Get-WinEvent -FilterHashtable @{
16 LogName = 'Security'
17 ID = 4624
18 StartTime = (Get-Date).AddHours(-1) # Filter for the last 1 hours
19} | Where-Object {
20 # Extract logon type
21 $LogonType = $_.Properties[8].Value
22 # Only check interactive (2) and remote desktop (10) logins
23 $LogonType -eq 2 -or $LogonType -eq 10
24} | ForEach-Object {
25 $_.Properties[5].Value # Extract the account name
26} | Where-Object { $_ -notin $SystemAccounts } | Select-Object -Unique
27
28# Output detected logins
29Write-Host "Detected Admin Logins: $($Logins -join ', ')"
30exit 0
Windows - Admin Login Alert
This PowerShell script monitors and reports recent administrative logins on a Windows system. It specifically tracks successful login events (Event ID 4624) from the last hour, focusing on interactive and Remote Desktop Protocol (RDP) connections while filtering out known system accounts. The script uses the Windows Event Log to gather this information and outputs a list of unique user accounts that have logged in during this period, making it useful for security monitoring and audit purposes.
PowerShell
300
Local system
Explore more automations, scripts, and policies to further enhance your IT operations.