Solved

How to tell if a user has remotely logged onto a server

Posted on 2008-06-24
7
1,044 Views
Last Modified: 2010-08-05
How can you tell if someone is remotely accessing a server?

Is that logged in the event log, security logs and if so what event id would it be and how would it be listed.

I see a bunch of logs some annomyous, some administrator....some I dont' know what they do...would this be the place.

We are checking to see if one of our it admins are remotely accessing a specific server...and would like to know if that gets logged if someone rdps into a server

Thanks
0
Comment
Question by:WestonGroup
  • 3
  • 2
7 Comments
 
LVL 14

Expert Comment

by:agriesser
ID: 21860242
Check the eventlog (Start -> Run -> eventvwr), click on Security and watch out for event ids 528 and 538.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 21860616
1) You can use the Terminal services manager in administrative tools to view local or remote server terminal server/remote desktop sessions

2) You can enable detailed auditing and within the configuration, you can configure the systems and successful and/or failed events you wish to audit. Following articles outline how to enable and analyze the results:
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
However using auditing can be time consuming to filter and extract.

3) Another option is to add the lines below to each users logon and log off script to create a log file. It would give you UserName, ComputerName, date and time, in a simple single line, followed by the IP from which they connected, if needed. If you wish to know logoff times as well, you can add the same lines to a log off script in group policy (if you don't already have one: User Configuration | Windows settings | Scripts | Logoff). You likely wont need the last line (IP address) in the log off script.

As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File

Log On:  jdoe SERVER1  Tue 1/1/2007   9:01
  TCP    10.0.1.100:3389        66.66.123.123:1234        ESTABLISHED
 
Log Off: jdoe SERVER1  Tue 1/1/2007   9:31

Log On:  jsmith SERVER2  Tue 1/1/2007   11:00
  TCP    10.0.1.200:3389        66.66.123.124:1234        ESTABLISHED
 
Log Off: jsmith SERVER1  Tue 1/1/2007   11:30
---------------------------------------------------------------------------

:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"

---------------------------------------------------------------------------
Note the users will need to have read/write and execute permissions for the \\Server\Logs\LogOns.Log  file.
0
 
LVL 14

Expert Comment

by:agriesser
ID: 21863477
RobWill, your solution probably does not list the remote logins that have been happend in the past, or does it?
Do you know of any other way to access this information when the logging you mentioned hasn't been enabled, let's say, I'm suspecting someone doing something nasty and want to look if he logged in in the last week?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21864399
I don't know of a way to check past activities if systems have not been put in place beforehand.
0
 
LVL 14

Expert Comment

by:agriesser
ID: 21924405
WestonGroup, was this information helpful for you?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Resolve DNS query failed errors for Exchange
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now