asked on

Auditing RDP access

Hi guys,
In our AD 2003 domain, there are many users who frequently use Remote Desktop.
What we want to get a list of all those users who do so.
So what i was thinking of, was somehow recording to a log file, the username who logged on to a system through remote desktop, but unsure of how to go about it.

Would this be possible to put this into a user's logon script?

Any help with determining if a user logged on to a system through Remote desktop would be greatly appreciated.
As I need to do this domain wide, I need a process that can be as automated as possible.

Thank you.

wls3

Look in the Security Event Log for a Logon/Logoff Event 528 and Logon Type 10. If you are on a domain, you can pull a list of all domain computers to search across and loop through the list.

https://blogs.technet.com/b/heyscriptingguy/archive/2006/11/09/how-can-i-use-windows-powershell-to-get-a-list-of-all-my-computers.aspx

Once you have the list a foreach loop with the object created here would allow you to then run something like this:

foreach($computerName in $DomainMachines)
{
Get-EventLog -LogName -ComputerName $computerName | Where {($_.InstanceID -eq 528) -Or ($_.InstanceID -eq 10)}
}

I got the codes from:

http://forums.techarena.in/windows-security/838814.htm

Simon336697

ASKER

Hi w1s3, thanks so much.

So in your code, would the variable $DomainMachines be the text file of computer names to check?

eg.

$DomainMachines = c:\computers.txt

foreach($computerName in $DomainMachines)
{
Get-EventLog -LogName -ComputerName $computerName | Where {($_.InstanceID -eq 528) -Or ($_.InstanceID -eq 10)}
}

ASKER CERTIFIED SOLUTION

wls3

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Simon336697

ASKER

Thanks so much for your kind help on this.