I have a client who is constantly having his RDP connections overridden. The error he receives:
"Your Remote Desktop session has ended.
Another user connected to the remote computer, so your connection was lost. Try connecting again, or contact your network administrator or technical support group."
Now, I know what this means, someone with the same login ID has connected and disconnected an active session. What I can't find is source of the login. The security audit log in the event viewer doesn't show me any helpful information at the time it happens.
For example, AROUND the right time (not exactly the right time, but I allow for clock drift) I get this:
Log Name: Security
Date: 7/6/2012 2:43:37 PM
Event ID: 4634
Task Category: Logoff
Keywords: Audit Success
An account was logged off.