Is there an activity log of remote access to a windows Vista Computer?

The basic question is does Windows Vista create or keep any information about users who access a computer remotely.  Situation is that some information was taken from a computer, and it is beleived that they gained access to the computer via RDP.  The user is quite upset and is willing to take legal action, however, I would like to give them the information of User Name who accessed the computer, when it was accessed and IP address of the computer that was used to access the compromised one.  I would think that Microsoft would have built something like this into their newest operating system, but I can not find any information on it.
BanacekPresident / CEOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you audit success logon events then yes. I'm not sure if Vista is set automatically to "Audit logon events - Success" like 2003 server but if it is then the events will appear as "Success Audit" Catagory Login/Logoff in the Security log under event viewer.

If your audit policy is not set, then you can change it by loading up the security policy, under "audit policy" set "audit logon events" to success
Type EVENTVWR.MSC in the Search or Run dialog box off the Start Menu and hit Enter.  I'm not sure, but I think you might find it under this tree in the Event Viewer left pane:

Event Viewer (Local)  -> Applications and Services ->  Microsoft -> Windows -> Terminal Services Remote Connection Manager -> Operational
That is logged by default already since at least NT4.
Filter the security event log for Event ID 528, which indicates a successful logon (and the user logging on). A logon through RDP should have a "Logon Type" of 10.
This won't tell you the client IP yet. For this, search for an Event ID 682 at about the same time (within seconds); this should tell you client name and client IP

Audit logon events

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BanacekPresident / CEOAuthor Commented:
Thanks for the help.  Turns out it was probably wireless access and not through a user computer, however the information is logged - and now found!  Thanx again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.