Link to home
Start Free TrialLog in
Avatar of ottcomputing

asked on

Track Down RDP Disconnection

Hi everyone,

I have a client who is constantly having his RDP connections overridden.  The error he receives:

"Your Remote Desktop session has ended.

Another user connected to the remote computer, so your connection was lost.  Try connecting again, or contact your network administrator or technical support group."

Now, I know what this means, someone with the same login ID has connected and disconnected an active session.  What I can't find is source of the login.  The security audit log in the event viewer doesn't show me any helpful information at the time it happens.  

For example, AROUND the right time (not exactly the right time, but I allow for clock drift) I get this:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/6/2012 2:43:37 PM
Event ID:      4634
Task Category: Logoff
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      obs-stdr2.obs.local
An account was logged off.

      Security ID:            OBS\OBS-SBS$
      Account Name:            OBS-SBS$
      Account Domain:            OBS
      Logon ID:            0xc9b46f6

Logon Type:                  3

Can anyone help me figure this out?  This user keeps having his app drop on him and sometimes restart quotes.

Thanks in advance.
Avatar of Rich Weissler
Rich Weissler

How certain are you that someone else is attempting to establish a session with the same ID?  Do you see a corresponding login event when your user is logged out?  The event quoted just looks like a normal logout.  (I assume that's what you mean by the logged event isn't very useful...)

I assume it is only happening to the one user?
Double check the user object's Active Session Limit and Idle Session Limit.
Avatar of ottcomputing


As far as I can tell this user does not have any specific session limits.  Thing is, in the Security event viewer, I can't see any of the logins at all.  At least I can't identify them, the username isn't listed.
you may enable auditing on domain level via GPO on the server from "Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy".

Two types of auditing available:

Audit Logon Events: records logons on the PCs targeted by the policy and the results appear in the Security Log on the PCs.

Audit Account Logon Events: tracks logons to the domain and the results appear in the Security Log on domain controllers only.

you may also consider using WMI/ADSI to query each domain controller for logon/logoff events.
I haven't forgotten about this.  I will re-investigate it this week.
Avatar of ottcomputing

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial