?
Solved

How to tell if a user has remotely logged onto a server

Posted on 2008-06-24
7
Medium Priority
?
1,052 Views
Last Modified: 2010-08-05
How can you tell if someone is remotely accessing a server?

Is that logged in the event log, security logs and if so what event id would it be and how would it be listed.

I see a bunch of logs some annomyous, some administrator....some I dont' know what they do...would this be the place.

We are checking to see if one of our it admins are remotely accessing a specific server...and would like to know if that gets logged if someone rdps into a server

Thanks
0
Comment
Question by:WestonGroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 14

Expert Comment

by:agriesser
ID: 21860242
Check the eventlog (Start -> Run -> eventvwr), click on Security and watch out for event ids 528 and 538.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 21860616
1) You can use the Terminal services manager in administrative tools to view local or remote server terminal server/remote desktop sessions

2) You can enable detailed auditing and within the configuration, you can configure the systems and successful and/or failed events you wish to audit. Following articles outline how to enable and analyze the results:
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
However using auditing can be time consuming to filter and extract.

3) Another option is to add the lines below to each users logon and log off script to create a log file. It would give you UserName, ComputerName, date and time, in a simple single line, followed by the IP from which they connected, if needed. If you wish to know logoff times as well, you can add the same lines to a log off script in group policy (if you don't already have one: User Configuration | Windows settings | Scripts | Logoff). You likely wont need the last line (IP address) in the log off script.

As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File

Log On:  jdoe SERVER1  Tue 1/1/2007   9:01
  TCP    10.0.1.100:3389        66.66.123.123:1234        ESTABLISHED
 
Log Off: jdoe SERVER1  Tue 1/1/2007   9:31

Log On:  jsmith SERVER2  Tue 1/1/2007   11:00
  TCP    10.0.1.200:3389        66.66.123.124:1234        ESTABLISHED
 
Log Off: jsmith SERVER1  Tue 1/1/2007   11:30
---------------------------------------------------------------------------

:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"

---------------------------------------------------------------------------
Note the users will need to have read/write and execute permissions for the \\Server\Logs\LogOns.Log  file.
0
 
LVL 14

Expert Comment

by:agriesser
ID: 21863477
RobWill, your solution probably does not list the remote logins that have been happend in the past, or does it?
Do you know of any other way to access this information when the logging you mentioned hasn't been enabled, let's say, I'm suspecting someone doing something nasty and want to look if he logged in in the last week?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21864399
I don't know of a way to check past activities if systems have not been put in place beforehand.
0
 
LVL 14

Expert Comment

by:agriesser
ID: 21924405
WestonGroup, was this information helpful for you?
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question