It is possible with a little work. There are many steps.
All of this can be done in any order, you just need all the pieces before it
will work, there may be a better way.
-(change share) Create a share on a server that is accessible to all
computers. In the Share Permissions set Everyone to Change and Anonymous
Logon to Change. In this directory create a log file named something like
locals.log. (this is done because the local users don't actually have rights
on a domain server)
-(read share) Create a share on a server that is accessible to all
computers. In the Share Permissions, set Everyone to Read and Anonymous
Logon to Read. In that shared directory, create a script maybe called
localcheck.vbs (I suggest encoding it to a vbe) that can determine if the
logged on user is a local user or not and make it log the information in the
locals.log file created in the previous share.
- Now, create a script named something like checkreg.vbs that will check the
systems registry HKLM\Software\Microsoft\Windows\Run. Using this script you
add the execution of the localcheck.vbs that we created in the previous
step. You can just use All Users - Startup but if users are local admins,
they might keep removing the entry. Storing in the registry is a little
harder to find and if you don't want to edit the registry with a logon
script you can just do a mass remote registry edit. When you add the entry
in registry use something like "wscript.exe
\\server.domain.com\(ReadShareName)\localcheck.vbs" using the full UNC will
ensure that if the DNS suffix is different, you can still get to the script.
- In a Group Policy, add the checkreg.vbs as a startup script to the OU that
contains the computer that you want to check.
Now that you have everything logged, you can pretty much determine what is
going. If you are still wanting an e-mail when it happens so you can respond
asap, you need to do the following.
The reason we did all the previous steps is because I assume that your
workstations are not authorized to send mail. So you just need to authorize
the server that contains the Change Share we created before and create a
file monitor described in this link:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0404.mspx
Use the __InstanceModificationEvent event on the locals.log file to send you
a e-mail.
I hope this is understandable.
Thanks,
Allan