Avatar of ottcomputing
ottcomputing
 asked on

Track Down RDP Disconnection

Hi everyone,

I have a client who is constantly having his RDP connections overridden.  The error he receives:

"Your Remote Desktop session has ended.

Another user connected to the remote computer, so your connection was lost.  Try connecting again, or contact your network administrator or technical support group."

Now, I know what this means, someone with the same login ID has connected and disconnected an active session.  What I can't find is source of the login.  The security audit log in the event viewer doesn't show me any helpful information at the time it happens.  

For example, AROUND the right time (not exactly the right time, but I allow for clock drift) I get this:


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/6/2012 2:43:37 PM
Event ID:      4634
Task Category: Logoff
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      obs-stdr2.obs.local
Description:
An account was logged off.

Subject:
      Security ID:            OBS\OBS-SBS$
      Account Name:            OBS-SBS$
      Account Domain:            OBS
      Logon ID:            0xc9b46f6

Logon Type:                  3

Can anyone help me figure this out?  This user keeps having his app drop on him and sometimes restart quotes.

Thanks in advance.
Microsoft Legacy OSWindows Server 2008Remote Access

Avatar of undefined
Last Comment
ottcomputing

8/22/2022 - Mon
Rich Weissler

How certain are you that someone else is attempting to establish a session with the same ID?  Do you see a corresponding login event when your user is logged out?  The event quoted just looks like a normal logout.  (I assume that's what you mean by the logged event isn't very useful...)

I assume it is only happening to the one user?
Double check the user object's Active Session Limit and Idle Session Limit.
ottcomputing

ASKER
As far as I can tell this user does not have any specific session limits.  Thing is, in the Security event viewer, I can't see any of the logins at all.  At least I can't identify them, the username isn't listed.
bbao

you may enable auditing on domain level via GPO on the server from "Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy".

Two types of auditing available:

Audit Logon Events: records logons on the PCs targeted by the policy and the results appear in the Security Log on the PCs.

Audit Account Logon Events: tracks logons to the domain and the results appear in the Security Log on domain controllers only.

you may also consider using WMI/ADSI to query each domain controller for logon/logoff events.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
bbao

also have a look at this utility.

http://www.observeit-sys.com/Products/WindowsAuditor
ottcomputing

ASKER
I haven't forgotten about this.  I will re-investigate it this week.
ASKER CERTIFIED SOLUTION
ottcomputing

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ottcomputing

ASKER
Self-resolved
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.