ottcomputing
asked on
Track Down RDP Disconnection
Hi everyone,
I have a client who is constantly having his RDP connections overridden. The error he receives:
"Your Remote Desktop session has ended.
Another user connected to the remote computer, so your connection was lost. Try connecting again, or contact your network administrator or technical support group."
Now, I know what this means, someone with the same login ID has connected and disconnected an active session. What I can't find is source of the login. The security audit log in the event viewer doesn't show me any helpful information at the time it happens.
For example, AROUND the right time (not exactly the right time, but I allow for clock drift) I get this:
Log Name: Security
Source: Microsoft-Windows-Security -Auditing
Date: 7/6/2012 2:43:37 PM
Event ID: 4634
Task Category: Logoff
Level: Information
Keywords: Audit Success
User: N/A
Computer: obs-stdr2.obs.local
Description:
An account was logged off.
Subject:
Security ID: OBS\OBS-SBS$
Account Name: OBS-SBS$
Account Domain: OBS
Logon ID: 0xc9b46f6
Logon Type: 3
Can anyone help me figure this out? This user keeps having his app drop on him and sometimes restart quotes.
Thanks in advance.
I have a client who is constantly having his RDP connections overridden. The error he receives:
"Your Remote Desktop session has ended.
Another user connected to the remote computer, so your connection was lost. Try connecting again, or contact your network administrator or technical support group."
Now, I know what this means, someone with the same login ID has connected and disconnected an active session. What I can't find is source of the login. The security audit log in the event viewer doesn't show me any helpful information at the time it happens.
For example, AROUND the right time (not exactly the right time, but I allow for clock drift) I get this:
Log Name: Security
Source: Microsoft-Windows-Security
Date: 7/6/2012 2:43:37 PM
Event ID: 4634
Task Category: Logoff
Level: Information
Keywords: Audit Success
User: N/A
Computer: obs-stdr2.obs.local
Description:
An account was logged off.
Subject:
Security ID: OBS\OBS-SBS$
Account Name: OBS-SBS$
Account Domain: OBS
Logon ID: 0xc9b46f6
Logon Type: 3
Can anyone help me figure this out? This user keeps having his app drop on him and sometimes restart quotes.
Thanks in advance.
ASKER
As far as I can tell this user does not have any specific session limits. Thing is, in the Security event viewer, I can't see any of the logins at all. At least I can't identify them, the username isn't listed.
you may enable auditing on domain level via GPO on the server from "Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy".
Two types of auditing available:
Audit Logon Events: records logons on the PCs targeted by the policy and the results appear in the Security Log on the PCs.
Audit Account Logon Events: tracks logons to the domain and the results appear in the Security Log on domain controllers only.
you may also consider using WMI/ADSI to query each domain controller for logon/logoff events.
Two types of auditing available:
Audit Logon Events: records logons on the PCs targeted by the policy and the results appear in the Security Log on the PCs.
Audit Account Logon Events: tracks logons to the domain and the results appear in the Security Log on domain controllers only.
you may also consider using WMI/ADSI to query each domain controller for logon/logoff events.
ASKER
I haven't forgotten about this. I will re-investigate it this week.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Self-resolved
I assume it is only happening to the one user?
Double check the user object's Active Session Limit and Idle Session Limit.