[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 278
  • Last Modified:

How do I track logons and logouts on a termanal server?

I have a terminal server and I need to track who and when people are logging in.  
  • 3
1 Solution
Rob WilliamsCommented:
You can enable security logging, but I found I wanted a simple log, that would also tell me the IP from which the user logged in. I added a couple of lines to the Terminal Servers Users' logon script, that created a custom log  file.  It would give you UserName, ComputerName, date and time in a simple single line, and the IP from which they connected below. As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:

Log File
Log On:  UserName ComputerName  Fri 09/30/20   8:07  
{Where is the computer IP and is the remote user's IP, local or remote}

Add lines below. Note: \\Server\Logs needs to be created as a shared folder on the server with all users having write privileges:
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,12%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
Netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"
mpageAuthor Commented:
Where do I enable security logging, the script looks great I do not have time to setup it now but if I can turn on security logging and check it that can help.

Rob WilliamsCommented:
Administrative Tools | Local (or Domain Security) Policy | Security Settings | Local Policies | Audit Policy

Here you can add the items you wish to audit,. The will be displayed in the Event Viewer security log. The down side of this it requires some digging or filtering.
Use this script for searching you Servers security log for users who have done RDP logon.

The output file will be c:\RDPCON.txt

See if this solves your problem.
filenm = "c:\RDPCON.txt"
Set fso = CreateObject("Scripting.FileSystemObject")

Set tf = fso.CreateTextFile(filenm, True)
tf.WriteLine("Logfile started at: " & Date() & " " & Time())

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _
    & "{(Security)}\\" & strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * From Win32_NTLogEvent Where Type <> 'Error'")

For Each objEvent in colLoggedEvents
if objEvent.EventCode=682 then
if Instr(Ucase(ObjEvent.Message),Ucase(SearchStr)) > 0 then
      tf.WriteLine("Message: " & objEvent.Message & "Source Name: " & objEvent.SourceName & "Time Written: " &

end if
end if
Rob WilliamsCommented:
Thanks mpage,

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now