In our corporate network we have a situation of conflicting interests between not very polite admin and privileged users.
The admin often renews annoying policies, like forced reboot, and updates.
Engineers are given local admin authority for fulfilling their tasks by maximum. We would not even need an admin, but we need an AD, and resource authorization, so there is admin attached to it.
So, like it happens with perfectionists distanced from real work, this admin often injects some parasitic policy, resulting in unexpected loss of data, panic, and general loss of development performance.
As local admins, we are given a right to fix such sabotage locally. But the problem, that the admin is a sneaky guy. He stabs you with a knife unexpectedly, when you are editing the data in 15 windows, and don't have time to save everything.
What I want is looking for any administrative access from the domain controller, that makes any changes. Then trigger a batch execution with such event, throwing an alert in the tray.
But how can I distinguish admin logins, and online policy updates from AD server, among other network logins to my system. Like logins from simple SMB browsers of coworkers' stations? Is it possible? using a cmd, or PS script?