Need logon history of RDP clients

Posted on 2007-03-19
Last Modified: 2013-11-21
I've been asked to provide a log-on history, showing when people sign on and off an RDP session.  I know I can see who is logged on at the moment, but don't know of a way to get the usage history?  
Question by:TinaSC
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 70

Assisted Solution

KCTS earned 20 total points
ID: 18750879
You need to set up Auditing. Unfortunately Auditing is not restrospective. See

Author Comment

ID: 18750942
Thanks KCTS.  I have looked at auditing & it seems somewhat cumbersome.  I've looked thru some old postings here & saw one by LEEW giving instructions for writing a script that's stored as a .csv.  I've never written a script before, but since I've come along a lot of solutions requiring a script, I guess it's time to learn.  It's too bad there's no way to go back in time.
LVL 51

Assisted Solution

Netman66 earned 20 total points
ID: 18752062
There should be Security logs that can be Filtered to show Logon events.

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

LVL 48

Assisted Solution

Jay_Jay70 earned 20 total points
ID: 18752159
or even the use of things like eventcomb will help you a little more with filtering
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 190 total points
ID: 18753925
You can enable auditing but it is quite time consuming to filter and extract. Or you could add the lines below to each users logon script to create a log file for you. It would give you UserName, ComputerName, date and time in a simple single line  As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File
Log On:  UserName1 ComputerName1  Fri 09/30/20   8:00  
Log On:  UserName2 ComputerName2  Fri 09/30/20   8:10
Log On:  UserName3 ComputerName3  Fri 09/30/20   8:15
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,12%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
Note the users will need to have read/write and execute permissions for the \\Server\Logs\LogOns.Log  file.
If you wish to know logoff times as well you will need to add a script in group policy for logoffs if you don't already have one:
User Configuration | Windows settings | Scripts | Logoff
Her to add to the same log file, add the following to the logoff script:
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
Echo Log Off:  %USERNAME% %COMPUTERNAME%  %Date:~0,12%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"

Author Comment

ID: 18756219
Thanks Rob... I almost get this.  In each user profile, I see the usrlogin.bat file (or something like that).  Is that where you mean I should add the above & if so, how do I find it to edit it for a specific user?  I did a search & only found 2 usrlogin.bat files??  Or do I put it in the logon/off script in the group policy??  Sorry, but I don't think I'm completely interpreting this correctly... new stuff for me...

Also, I saw a posting with this script -
IFMEMBER "%username%"=="domain\UserMonGroup"
IF ERRORLEVEL 1 echo LOGON %username% %computername% %date% %time% >> \\server\share\logon.log  (My apologies to the author, but I can't remember where I saw this).  
If I read that correctly, it goes in the grp policy?
LVL 77

Accepted Solution

Rob Williams earned 190 total points
ID: 18757063
>>” usrlogin.bat file (or something like that).  Is that where you mean I should add the above”
Yes that is correct.
There doesn't necessarily need to be one logon script for each user. If the users have similar parameters set, they can all use the same one. The logon script is usually located in the NETLOGON share of the domain controller. Specifically:
If not there, or not sure which script is applied, it is applied in one of 2 ways, so you can check there to see the “pointer;
1)In active directory, under the user’s profile, on the profile tab, in the logon script box
2)In group policy under User configuration | Windows settings | Scripts | Logon
If you have numerous group policies you may need to run  gpresult from the command line of the clients machine wile logged on as them to see what policies are applied.

The other script you reference is part of a script that uses the IfMember utility in the Windows Resource kit to determine if the user is a member of a group (nothing to do with group policy). Often people will write a script that say something like map this drive if the user is a member of this account.

Let us know if you need more help with the script. Glad to “fill in the blanks” for you.
LVL 77

Expert Comment

by:Rob Williams
ID: 18781562
Thanks again TinaSC.

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question