Is there an activity log of remote access to a windows Vista Computer?

The basic question is does Windows Vista create or keep any information about users who access a computer remotely.  Situation is that some information was taken from a computer, and it is beleived that they gained access to the computer via RDP.  The user is quite upset and is willing to take legal action, however, I would like to give them the information of User Name who accessed the computer, when it was accessed and IP address of the computer that was used to access the compromised one.  I would think that Microsoft would have built something like this into their newest operating system, but I can not find any information on it.
BanacekPresident / CEOAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
That is logged by default already since at least NT4.
Filter the security event log for Event ID 528, which indicates a successful logon (and the user logging on). A logon through RDP should have a "Logon Type" of 10.
This won't tell you the client IP yet. For this, search for an Event ID 682 at about the same time (within seconds); this should tell you client name and client IP

Audit logon events
http://technet2.microsoft.com/windowsserver/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true
0
 
cammjCommented:
If you audit success logon events then yes. I'm not sure if Vista is set automatically to "Audit logon events - Success" like 2003 server but if it is then the events will appear as "Success Audit" Catagory Login/Logoff in the Security log under event viewer.

If your audit policy is not set, then you can change it by loading up the security policy, under "audit policy" set "audit logon events" to success
0
 
LeeTutorretiredCommented:
Type EVENTVWR.MSC in the Search or Run dialog box off the Start Menu and hit Enter.  I'm not sure, but I think you might find it under this tree in the Event Viewer left pane:

Event Viewer (Local)  -> Applications and Services ->  Microsoft -> Windows -> Terminal Services Remote Connection Manager -> Operational
0
 
BanacekPresident / CEOAuthor Commented:
Thanks for the help.  Turns out it was probably wireless access and not through a user computer, however the information is logged - and now found!  Thanx again!
0
All Courses

From novice to tech pro — start learning today.