Mike Page
asked on
How do I track logons and logouts on a termanal server?
I have a terminal server and I need to track who and when people are logging in.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Administrative Tools | Local (or Domain Security) Policy | Security Settings | Local Policies | Audit Policy
Here you can add the items you wish to audit,. The will be displayed in the Event Viewer security log. The down side of this it requires some digging or filtering.
Here you can add the items you wish to audit,. The will be displayed in the Event Viewer security log. The down side of this it requires some digging or filtering.
Use this script for searching you Servers security log for users who have done RDP logon.
The output file will be c:\RDPCON.txt
See if this solves your problem.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --------
SearchStr="RDP"
filenm = "c:\RDPCON.txt"
Set fso = CreateObject("Scripting.Fi leSystemOb ject")
Set tf = fso.CreateTextFile(filenm, True)
tf.WriteLine("Logfile started at: " & Date() & " " & Time())
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{(Security)}\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * From Win32_NTLogEvent Where Type <> 'Error'")
For Each objEvent in colLoggedEvents
if objEvent.EventCode=682 then
if Instr(Ucase(ObjEvent.Messa ge),Ucase( SearchStr) ) > 0 then
tf.WriteLine("Message: " & objEvent.Message & "Source Name: " & objEvent.SourceName & "Time Written: " &
ObjEvent.TimeWritten)
end if
end if
Next
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---
The output file will be c:\RDPCON.txt
See if this solves your problem.
--------------------------
SearchStr="RDP"
filenm = "c:\RDPCON.txt"
Set fso = CreateObject("Scripting.Fi
Set tf = fso.CreateTextFile(filenm,
tf.WriteLine("Logfile started at: " & Date() & " " & Time())
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{(Security)}\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * From Win32_NTLogEvent Where Type <> 'Error'")
For Each objEvent in colLoggedEvents
if objEvent.EventCode=682 then
if Instr(Ucase(ObjEvent.Messa
tf.WriteLine("Message: " & objEvent.Message & "Source Name: " & objEvent.SourceName & "Time Written: " &
ObjEvent.TimeWritten)
end if
end if
Next
--------------------------
Thanks mpage,
--Rob
--Rob
ASKER