?
Solved

Need to get the report of a machine mstsc logines users and machines

Posted on 2007-07-20
11
Medium Priority
?
669 Views
Last Modified: 2011-04-14
Hi,

I need to just get the username and machine name of all the mstsc login from 2 days to a particular machine.
Just to get this data from even loggs
Regards
Sharath
0
Comment
Question by:bsharath
11 Comments
 
LVL 9

Expert Comment

by:Brugh
ID: 19533617
? You want a report of all RDP logins over the past 2 days?

That report needs to contain the User name and the remote Machine name of the person that connected?

Is that what you are asking?

Or are you looking for a way to do this for all machines on your network without having to login to all of them?

 - Brugh
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 19533921
You have to be auditing for "successful logins" to get this information.  Since this will give you all logins including RDP as well as interactive, you will then need to filter on only the RDP ones.  
0
 
LVL 11

Author Comment

by:bsharath
ID: 19537857
I need
report needs to contain the User name and the remote Machine name of the person that connected?
To a particular machine

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 11

Author Comment

by:bsharath
ID: 19538500
Any help...
0
 
LVL 85

Expert Comment

by:oBdA
ID: 19540806
Get Sysinternal's PsLogList (http://www.microsoft.com/technet/sysinternals/Security/PsLogList.mspx), then open a command prompt and run
psloglist -a 07/18/2007 -s -t \t -i 528 security /accepteula | find /i "Logon Type: 10" >RemoteDesktop.csv
This should create a tab separated file "RemoteDesktop.csv" of RDP connections in the last two days (the event id to look for in the security event log is 528, with a logon type of 10).
You can then import that into Excel and check for the source IP and the user name that logged on.
Note that the remote machine has to run Server 2003 for this type of event being logged by default. XP only logs these connections if this has been specifically enabled.
0
 
LVL 11

Author Comment

by:bsharath
ID: 19541751
oBdA
Its creating a csv file but no data inside it.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 19542246
Try which output
psloglist -a 07/18/2007 -s -t \t -i 528 security /accepteula
yields, and post a line of that.
If it doesn't produce anything, drop the date as well:
psloglist -s -t \t -i 528 security /accepteula
0
 
LVL 11

Author Comment

by:bsharath
ID: 19542860
I get this.Both the outputs.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator.DEVELOPMENT>cd\

C:\>psloglist -s -t \t -i 528 security /accepteula
'psloglist' is not recognized as an internal or external command,
operable program or batch file.

C:\>cd Pstool

C:\Pstool>psloglist -s -t \t -i 528 security /accepteula

PsLoglist v2.62 - local and remote event log viewer
Copyright (C) 2000-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

PsLogList dumps event logs on a local or remote NT system.

Usage: psloglist [\\computer[,computer2[,...] | @file] [-u username [-p password
]]] [-s [-t delimiter]] [-m #|-n #|-d #|-h #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/
dd/yy] [-f filter] [-i ID,[ID,...]] | -e ID,[ID,...]] [-o event source[,event so
urce[,...]]] [-q event source[,event source[,...]]] [[-g|-l] event log file] <ev
ent log>
     @file     Psloglist will execute the command on each of the computers
               listed in the file.
     -a        Dump records timestamped after specified date.
     -b        Dump records timestamped before specified date.
     -c        Clear event log after displaying.
     -d        Only display records from previous n days.
     -e        Exclude events with the specified ID or IDs (up to 10).
     -f        Filter event types, using starting letter
               (e.g. "-f we" to filter warnings and errors).
     -g        Export an event log as an evt file. This can only be used
               with the -c switch (clear log).
     -h        Only display records from previous n hours.
     -i        Show only events with the specified ID or IDs (up to 10).
     -l        Dump the contents of the specified saved event log file.
     -m        Only display records from previous n minutes.
     -n        Only display n most recent records.
     -o        Show only records from the specified event source or sources
               (e.g. "-o cdrom").
     -p        Specifies password for user name.
     -q        Omit records from the specified event source or sources
               (e.g. "-q cdrom").
     -r        Dump log from least recent to most recent.
     -s        Records are listed on one line each with delimited
               fields, which is convenient for string searches.
     -t        The default delimiter for the -s option is a comma,
               but can be overriden with the specified character. Use "\t"
               to specify tab.
     -u        Specifies optional user name for login to
               remote computer.
     -w        Wait for new events, dumping them as they generate (local system
               only.)
     -x        Dump extended data.
     eventlog  Specifies event log to dump. Default is system. If the
               -l switch is present then the event log name specifies
               how to interpret the event log file.


C:\Pstool>psloglist -a 07/18/2007 -s -t \t -i 528 security /accepteula

PsLoglist v2.62 - local and remote event log viewer
Copyright (C) 2000-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

PsLogList dumps event logs on a local or remote NT system.

Usage: psloglist [\\computer[,computer2[,...] | @file] [-u username [-p password
]]] [-s [-t delimiter]] [-m #|-n #|-d #|-h #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/
dd/yy] [-f filter] [-i ID,[ID,...]] | -e ID,[ID,...]] [-o event source[,event so
urce[,...]]] [-q event source[,event source[,...]]] [[-g|-l] event log file] <ev
ent log>
     @file     Psloglist will execute the command on each of the computers
               listed in the file.
     -a        Dump records timestamped after specified date.
     -b        Dump records timestamped before specified date.
     -c        Clear event log after displaying.
     -d        Only display records from previous n days.
     -e        Exclude events with the specified ID or IDs (up to 10).
     -f        Filter event types, using starting letter
               (e.g. "-f we" to filter warnings and errors).
     -g        Export an event log as an evt file. This can only be used
               with the -c switch (clear log).
     -h        Only display records from previous n hours.
     -i        Show only events with the specified ID or IDs (up to 10).
     -l        Dump the contents of the specified saved event log file.
     -m        Only display records from previous n minutes.
     -n        Only display n most recent records.
     -o        Show only records from the specified event source or sources
               (e.g. "-o cdrom").
     -p        Specifies password for user name.
     -q        Omit records from the specified event source or sources
               (e.g. "-q cdrom").
     -r        Dump log from least recent to most recent.
     -s        Records are listed on one line each with delimited
               fields, which is convenient for string searches.
     -t        The default delimiter for the -s option is a comma,
               but can be overriden with the specified character. Use "\t"
               to specify tab.
     -u        Specifies optional user name for login to
               remote computer.
     -w        Wait for new events, dumping them as they generate (local system
               only.)
     -x        Dump extended data.
     eventlog  Specifies event log to dump. Default is system. If the
               -l switch is present then the event log name specifies
               how to interpret the event log file.


C:\Pstool>
0
 
LVL 85

Expert Comment

by:oBdA
ID: 19542880
You have an older version of PsLogList; either get the current one, or drop the "/accepteula" parameter from the very first script and try again.
0
 
LVL 11

Author Comment

by:bsharath
ID: 19542977
Now i get this.In the csv file.

"180739      Security      Security      AUDIT SUCCESS      DEV-CHEN-SRV401      7/20/2007 1:23:26 PM      528      administrator\DEVELOPMENT      Successful Logon:     User Name: administrator     Domain:  DEVELOPMENT     Logon ID:  (0x0"
"180491      Security      Security      AUDIT SUCCESS      DEV-CHEN-SRV401      7/20/2007 10:13:27 AM      528      administrator\DEVELOPMENT      Successful Logon:     User Name: administrator     Domain:  DEVELOPMENT     Logon ID:  (0x0"
"178579      Security      Security      AUDIT SUCCESS      DEV-CHEN-SRV401      7/19/2007 8:33:20 AM      528      administrator\DEVELOPMENT      Successful Logon:     User Name: administrator     Domain:  DEVELOPMENT     Logon ID:  (0x0"

What does these login id's mean and any way to get it remotely please..
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 19543017
To do that remotely, just add the servername asmentioned in the Syntax:
psloglist \\SomeServer -a 07/18/2007 -s -t \t -i 528 security | find /i "Logon Type: 10" >RemoteDesktop.csv

The next column after the event id (528) will give you the user name that logged on.
Some columns later (which you didn't post) you'll find the Source IP from which the connection was established.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question