none
how to audit who logs into a server using RDP? I can not find any reference to a RDP logon event RRS feed

  • Question

  • in the event logs? When i connect to a server, where is that info logged? or how do I enable logging of these events?

    Windows 2008R2 sp1

    Tuesday, April 10, 2012 6:21 PM

Answers

  • HI 

    Thanks for your post 

    The Auditing


    Option 1:

    1. Enable Auditing on the domain level by using Group Policy:

          Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy

          There are two types of auditing that address logging on, they are Audit Logon Events and Audit Account Logon Events.

          Audit "logon events" records logons on the PC(s) targeted by the policy and the results appear in the Security Log on that PC(s).

          Audit "Account Logon" Events tracks logons to the domain, and the results appear in the Security Log on domain controllers only


    2. Create a logon script on the required domain/OU/user account with the following content:

         echo %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >> 
            \\SERVER\SHARENAME$\LOGON.LOG

    3. Create a logoff script on the required domain/OU/user account with the following content:

         echo %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >> 
            \\SERVER\SHARENAME$\LOGOFF.LOG


    Note: Please be aware that unauthorized users can change this scripts, due the requirement that

                      the SHARENAME$ will be writeable by users.


    Option 2:


    Use WMI/ADSI to query each domain controller for logon/logoff events.

                   


    Thanks and Regards
    Jagadeesh

    MCP,MCTS,MCITP |Server Administrator | Systems Engineer
    My Blog!
    View my MCP Certifications
    Contact Me

    • Proposed as answer by Jagadeesh Devaraj Tuesday, April 10, 2012 7:46 PM
    • Marked as answer by BlueIzzzz Tuesday, April 10, 2012 11:18 PM
    Tuesday, April 10, 2012 7:46 PM

All replies

  • I enabled the audit logon and logoff events under "local security policy\local policy\audit policy\--logon events (success and failure)...

    But I am still unable to find the RDP logon event in the event logs under security??? Thanks

    Tuesday, April 10, 2012 7:18 PM
  • HI 

    Thanks for your post 

    The Auditing


    Option 1:

    1. Enable Auditing on the domain level by using Group Policy:

          Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy

          There are two types of auditing that address logging on, they are Audit Logon Events and Audit Account Logon Events.

          Audit "logon events" records logons on the PC(s) targeted by the policy and the results appear in the Security Log on that PC(s).

          Audit "Account Logon" Events tracks logons to the domain, and the results appear in the Security Log on domain controllers only


    2. Create a logon script on the required domain/OU/user account with the following content:

         echo %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >> 
            \\SERVER\SHARENAME$\LOGON.LOG

    3. Create a logoff script on the required domain/OU/user account with the following content:

         echo %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >> 
            \\SERVER\SHARENAME$\LOGOFF.LOG


    Note: Please be aware that unauthorized users can change this scripts, due the requirement that

                      the SHARENAME$ will be writeable by users.


    Option 2:


    Use WMI/ADSI to query each domain controller for logon/logoff events.

                   


    Thanks and Regards
    Jagadeesh

    MCP,MCTS,MCITP |Server Administrator | Systems Engineer
    My Blog!
    View my MCP Certifications
    Contact Me

    • Proposed as answer by Jagadeesh Devaraj Tuesday, April 10, 2012 7:46 PM
    • Marked as answer by BlueIzzzz Tuesday, April 10, 2012 11:18 PM
    Tuesday, April 10, 2012 7:46 PM