[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 308
  • Last Modified:

Remote Desktop Connection

How can I see which computers are using Remote Desktop to connect to my server?
I know how to see current ones, but how can I see any previous connections.. if possible?

Josh
0
MJoshua
Asked:
MJoshua
2 Solutions
 
Rich RumbleSecurity SamuraiCommented:
You'll probably need to turn up the event logging, by default windows doesn't log much. Go to Start> Run.. and type
Secpol.msc (press enter, or click ok)
In the local policy>audit folder you'll find the auditing of sucess's and failures. You'll want at least to log the sucess of account logon's and "audit logon event" sucess.
Sucessful logons events are 552's logoffs are 572's (as well as others... M$ is so dumb, almost all events have a duplicate or overlapping event that could mean the same thing)
Event ID 680 is an unsucessful attempt http://kbase.gfi.com/showarticle.asp?id=KBID001739
528  might also be a sucessful log on http://support.microsoft.com/default.aspx?scid=kb;en-us;140714&sd=tech
551 in xp and 2003 mean someone kicked their own session off, or a sudden rebot could of http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B828857
-rich
0
 
kevinf40Commented:
This link has a nice tutorial showing applying the audit settings, and the events appearing in the event log on a win XP machine.

http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.html#Logging

There are some other RDP hints and tips on that page which may also be of use / interest to you.

cheers

Kevin
0
 
dooleydogCommented:
Terminal services manager... in administrative tools from hte server.

Hope this helps,

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Dushan De SilvaCommented:
Start --> Run --> cmd

netstat
net session
net file

BR Dushan
0
 
hack-4-goodCommented:
if you just want the pc names, you can probably just look in the terminal server licensing, see what machines got issued a license in the past...

but your best bet is the event log as stated above, it will usually give you the remote pc name, user name, and remote ip address.

0
 
Rich RumbleSecurity SamuraiCommented:
Bah M$, you'll hardly ever get an IP address from an event log... M$ is soo dumb... In IIS, yes you can see IP's, in the standard eventlogs, no, just the netbios name if any.
If you want real logging, get a firewall like ZoneAlarm, it can log denials as well as allows.
-rich
0
 
prashsaxCommented:
You can make a logon script which will append the username into a file.

something like:
echo off
echo %username% %date% >> \\servername\sharename\tslog.txt

OR

Enable security audits.

Administrative Tools | Local (or Domain Security) Policy | Security Settings | Local Policies | Audit Policy

Run this script on your Terminal Server.

It will read your security logs and store the result in c:\RDPCON.txt

---------------------------------------------------------------------------------------------------------------
SearchStr="RDP"
filenm = "c:\RDPCON.txt"
Set fso = CreateObject("Scripting.FileSystemObject")


Set tf = fso.CreateTextFile(filenm, True)
tf.WriteLine("Logfile started at: " & Date() & " " & Time())



strComputer = "."

Set objWMIService = GetObject("winmgmts:" _
    & "{(Security)}\\" & strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * From Win32_NTLogEvent Where Type <> 'Error'")

For Each objEvent in colLoggedEvents
if objEvent.EventCode=682 then
if Instr(Ucase(ObjEvent.Message),Ucase(SearchStr)) > 0 then
      tf.WriteLine("Message: " & objEvent.Message & "Source Name: " & objEvent.SourceName & "Time Written: " & ObjEvent.TimeWritten)
end if
end if
Next
0
 
michael_heringCommented:
Mjoshua,

Use the Terminal Services Manager under Admin Tools on the server. It's the easiest method of seeing who is in your server via Remote Desktop. You can also log off users, etc. from this handy tool.
0
 
prashsaxCommented:
He wants to know who all have used it.

You can see only connected or disconnected state in Terminal Services Manager. But it will not show you the list for users you have logged off after using it.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now