In short, I want to get an email alert when a particular user authenticates to the domain. Whether the logon type is RDP, via UNC path, SMB, basically log the authentication request for this one user on the domain. the report should include all requests but only one email should go out upon initial authentication. We can then review the report to see what was done and authenticated. 

I have tried a couple things but cannot seem to get it right. The email relay is configured, just need help setting up the alert and custom action. I am using 2008 DC's and servers user will be logging in to are mostly 2012/2008 with some misc 2003. 

I am sure we can just grab these alerts from event types on the DC's, just cant figure out how to filter it down to user and event type. Any help would be appreciated.