Verify accounts that have accessed server

Posted on 2012-08-13
Last Modified: 2012-08-15
Client want to know what accounts have accessed the server (Windows Server 2008 standard edition) in the last three months.  Users log onto server via remote desktop connection.  Have looked through the security logs, but its like looking for a needle in a haystack.  In there some way/program that extracts the info from the logs?  TY in advance
Question by:madTECHC
    LVL 26

    Accepted Solution

    You'd have to check the security log of this server, or the security logs of your domain controllers.

    Only problem is that these logs can be overwritten over a period of time, so if the logs don't go back to the dates you need then you'll not be able to find that information.

    You could also review changes to the dates of the users profiles:

    It will record the time that the profile was last updated, which would happen anytime a user logged onto the server.

    If he does required some monitoring going forward, then you can easily configure a startup script to record the date, time and user account that logged on.
    LVL 60

    Assisted Solution

    Saw the Remote Desktop Gateway Manager which has the RDP store in event viewer, assuming has enabled audit using it.
    LVL 29

    Assisted Solution

    by:Sudeep Sharma
    You could use Powershell Script to get the logon and logout information, a simple example would be like this:

    Logon Events:
    get-eventlog Security | where-object {$_.EventID -eq "4648"}

    Logout Events
    get-eventlog Security | where-object {$_.EventID -eq "4634"}
    LVL 60

    Assisted Solution

    From the event log there would be many type of login, this can be helpful to sieve out specifically the "RemoteInteractive" type (  Logon Type: 10 )

    If you are thinking of event viewer, it will not help as much since it doesn’t give us the ability to look for anything in the event message body, such as the logon type. Script or SIEM can help as options
    LVL 3

    Assisted Solution

    Is auditing enabled? If not, as suggested above one solution is to check MAC times on the profiles created in the users folder. You can also filter the security logs on ID:

    No idea if you harvest the logs centrally or if they have overwritten, perhaps you could get the evt files from a backup if it doesnt go back 3 months in the current file.
    LVL 3

    Expert Comment


    Author Closing Comment

    The TS hosts have provided a link to a page that provides user access (exc admin) information back for the last three months.  Thanks.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now