• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 836
  • Last Modified:

Verify accounts that have accessed server

Client want to know what accounts have accessed the server (Windows Server 2008 standard edition) in the last three months.  Users log onto server via remote desktop connection.  Have looked through the security logs, but its like looking for a needle in a haystack.  In there some way/program that extracts the info from the logs?  TY in advance
5 Solutions
Leon FesterIT Project Change ManagerCommented:
You'd have to check the security log of this server, or the security logs of your domain controllers.

Only problem is that these logs can be overwritten over a period of time, so if the logs don't go back to the dates you need then you'll not be able to find that information.

You could also review changes to the dates of the users profiles:

It will record the time that the profile was last updated, which would happen anytime a user logged onto the server.

If he does required some monitoring going forward, then you can easily configure a startup script to record the date, time and user account that logged on.
btanExec ConsultantCommented:
Saw the Remote Desktop Gateway Manager which has the RDP store in event viewer, assuming has enabled audit using it.
Sudeep SharmaTechnical DesignerCommented:
You could use Powershell Script to get the logon and logout information, a simple example would be like this:

Logon Events:
get-eventlog Security | where-object {$_.EventID -eq "4648"}

Logout Events
get-eventlog Security | where-object {$_.EventID -eq "4634"}
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

btanExec ConsultantCommented:
From the event log there would be many type of login, this can be helpful to sieve out specifically the "RemoteInteractive" type (  Logon Type: 10 )


If you are thinking of event viewer, it will not help as much since it doesn’t give us the ability to look for anything in the event message body, such as the logon type. Script or SIEM can help as options
Is auditing enabled? If not, as suggested above one solution is to check MAC times on the profiles created in the users folder. You can also filter the security logs on ID:


No idea if you harvest the logs centrally or if they have overwritten, perhaps you could get the evt files from a backup if it doesnt go back 3 months in the current file.
madTECHCAuthor Commented:
The TS hosts have provided a link to a page that provides user access (exc admin) information back for the last three months.  Thanks.

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now