Need to get the report of a machine mstsc logines users and machines

Hi,

I need to just get the username and machine name of all the mstsc login from 2 days to a particular machine.
Just to get this data from even loggs
Regards
Sharath
LVL 11
bsharathAsked:
Who is Participating?
 
oBdACommented:
To do that remotely, just add the servername asmentioned in the Syntax:
psloglist \\SomeServer -a 07/18/2007 -s -t \t -i 528 security | find /i "Logon Type: 10" >RemoteDesktop.csv

The next column after the event id (528) will give you the user name that logged on.
Some columns later (which you didn't post) you'll find the Source IP from which the connection was established.
0
 
BrughCommented:
? You want a report of all RDP logins over the past 2 days?

That report needs to contain the User name and the remote Machine name of the person that connected?

Is that what you are asking?

Or are you looking for a way to do this for all machines on your network without having to login to all of them?

 - Brugh
0
 
ocon827679Commented:
You have to be auditing for "successful logins" to get this information.  Since this will give you all logins including RDP as well as interactive, you will then need to filter on only the RDP ones.  
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
bsharathAuthor Commented:
I need
report needs to contain the User name and the remote Machine name of the person that connected?
To a particular machine

0
 
bsharathAuthor Commented:
Any help...
0
 
oBdACommented:
Get Sysinternal's PsLogList (http://www.microsoft.com/technet/sysinternals/Security/PsLogList.mspx), then open a command prompt and run
psloglist -a 07/18/2007 -s -t \t -i 528 security /accepteula | find /i "Logon Type: 10" >RemoteDesktop.csv
This should create a tab separated file "RemoteDesktop.csv" of RDP connections in the last two days (the event id to look for in the security event log is 528, with a logon type of 10).
You can then import that into Excel and check for the source IP and the user name that logged on.
Note that the remote machine has to run Server 2003 for this type of event being logged by default. XP only logs these connections if this has been specifically enabled.
0
 
bsharathAuthor Commented:
oBdA
Its creating a csv file but no data inside it.
0
 
oBdACommented:
Try which output
psloglist -a 07/18/2007 -s -t \t -i 528 security /accepteula
yields, and post a line of that.
If it doesn't produce anything, drop the date as well:
psloglist -s -t \t -i 528 security /accepteula
0
 
bsharathAuthor Commented:
I get this.Both the outputs.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator.DEVELOPMENT>cd\

C:\>psloglist -s -t \t -i 528 security /accepteula
'psloglist' is not recognized as an internal or external command,
operable program or batch file.

C:\>cd Pstool

C:\Pstool>psloglist -s -t \t -i 528 security /accepteula

PsLoglist v2.62 - local and remote event log viewer
Copyright (C) 2000-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

PsLogList dumps event logs on a local or remote NT system.

Usage: psloglist [\\computer[,computer2[,...] | @file] [-u username [-p password
]]] [-s [-t delimiter]] [-m #|-n #|-d #|-h #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/
dd/yy] [-f filter] [-i ID,[ID,...]] | -e ID,[ID,...]] [-o event source[,event so
urce[,...]]] [-q event source[,event source[,...]]] [[-g|-l] event log file] <ev
ent log>
     @file     Psloglist will execute the command on each of the computers
               listed in the file.
     -a        Dump records timestamped after specified date.
     -b        Dump records timestamped before specified date.
     -c        Clear event log after displaying.
     -d        Only display records from previous n days.
     -e        Exclude events with the specified ID or IDs (up to 10).
     -f        Filter event types, using starting letter
               (e.g. "-f we" to filter warnings and errors).
     -g        Export an event log as an evt file. This can only be used
               with the -c switch (clear log).
     -h        Only display records from previous n hours.
     -i        Show only events with the specified ID or IDs (up to 10).
     -l        Dump the contents of the specified saved event log file.
     -m        Only display records from previous n minutes.
     -n        Only display n most recent records.
     -o        Show only records from the specified event source or sources
               (e.g. "-o cdrom").
     -p        Specifies password for user name.
     -q        Omit records from the specified event source or sources
               (e.g. "-q cdrom").
     -r        Dump log from least recent to most recent.
     -s        Records are listed on one line each with delimited
               fields, which is convenient for string searches.
     -t        The default delimiter for the -s option is a comma,
               but can be overriden with the specified character. Use "\t"
               to specify tab.
     -u        Specifies optional user name for login to
               remote computer.
     -w        Wait for new events, dumping them as they generate (local system
               only.)
     -x        Dump extended data.
     eventlog  Specifies event log to dump. Default is system. If the
               -l switch is present then the event log name specifies
               how to interpret the event log file.


C:\Pstool>psloglist -a 07/18/2007 -s -t \t -i 528 security /accepteula

PsLoglist v2.62 - local and remote event log viewer
Copyright (C) 2000-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

PsLogList dumps event logs on a local or remote NT system.

Usage: psloglist [\\computer[,computer2[,...] | @file] [-u username [-p password
]]] [-s [-t delimiter]] [-m #|-n #|-d #|-h #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/
dd/yy] [-f filter] [-i ID,[ID,...]] | -e ID,[ID,...]] [-o event source[,event so
urce[,...]]] [-q event source[,event source[,...]]] [[-g|-l] event log file] <ev
ent log>
     @file     Psloglist will execute the command on each of the computers
               listed in the file.
     -a        Dump records timestamped after specified date.
     -b        Dump records timestamped before specified date.
     -c        Clear event log after displaying.
     -d        Only display records from previous n days.
     -e        Exclude events with the specified ID or IDs (up to 10).
     -f        Filter event types, using starting letter
               (e.g. "-f we" to filter warnings and errors).
     -g        Export an event log as an evt file. This can only be used
               with the -c switch (clear log).
     -h        Only display records from previous n hours.
     -i        Show only events with the specified ID or IDs (up to 10).
     -l        Dump the contents of the specified saved event log file.
     -m        Only display records from previous n minutes.
     -n        Only display n most recent records.
     -o        Show only records from the specified event source or sources
               (e.g. "-o cdrom").
     -p        Specifies password for user name.
     -q        Omit records from the specified event source or sources
               (e.g. "-q cdrom").
     -r        Dump log from least recent to most recent.
     -s        Records are listed on one line each with delimited
               fields, which is convenient for string searches.
     -t        The default delimiter for the -s option is a comma,
               but can be overriden with the specified character. Use "\t"
               to specify tab.
     -u        Specifies optional user name for login to
               remote computer.
     -w        Wait for new events, dumping them as they generate (local system
               only.)
     -x        Dump extended data.
     eventlog  Specifies event log to dump. Default is system. If the
               -l switch is present then the event log name specifies
               how to interpret the event log file.


C:\Pstool>
0
 
oBdACommented:
You have an older version of PsLogList; either get the current one, or drop the "/accepteula" parameter from the very first script and try again.
0
 
bsharathAuthor Commented:
Now i get this.In the csv file.

"180739      Security      Security      AUDIT SUCCESS      DEV-CHEN-SRV401      7/20/2007 1:23:26 PM      528      administrator\DEVELOPMENT      Successful Logon:     User Name: administrator     Domain:  DEVELOPMENT     Logon ID:  (0x0"
"180491      Security      Security      AUDIT SUCCESS      DEV-CHEN-SRV401      7/20/2007 10:13:27 AM      528      administrator\DEVELOPMENT      Successful Logon:     User Name: administrator     Domain:  DEVELOPMENT     Logon ID:  (0x0"
"178579      Security      Security      AUDIT SUCCESS      DEV-CHEN-SRV401      7/19/2007 8:33:20 AM      528      administrator\DEVELOPMENT      Successful Logon:     User Name: administrator     Domain:  DEVELOPMENT     Logon ID:  (0x0"

What does these login id's mean and any way to get it remotely please..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.