• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

Auditing Windows 2008 Server access

We have some Windows 2008 servers that multiple departments have RDP access to.

I would like to view who has been logging into these servers by using the Security logs.

Could someone tell me

i. What event id/ event id's I should be looking for in the Sec logs

ii. Is there anyway to find out the IPs that these accounts are logging in from
1 Solution
If you wanna find out who logged in recently via RDP please use the following command

query session /server:YOURSERVERNAME

And if you find out that someone has logged in and then left the country, you can kick them off too - the above command will tell you each user's session id and you can use this to boot them off the box. In this example, the session id is 1.

rwinsta /server:YOURSERVERNAME 1

If you wanna know who logged in and who logged off please follow the link below.

Event IDs 538 and 540 for tracking Log on and Log off's.

In addition a useful article below
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now