Verify accounts that have accessed server

Client want to know what accounts have accessed the server (Windows Server 2008 standard edition) in the last three months.  Users log onto server via remote desktop connection.  Have looked through the security logs, but its like looking for a needle in a haystack.  In there some way/program that extracts the info from the logs?  TY in advance
madTECHCAsked:
Who is Participating?
 
Leon FesterSenior Solutions ArchitectCommented:
You'd have to check the security log of this server, or the security logs of your domain controllers.

Only problem is that these logs can be overwritten over a period of time, so if the logs don't go back to the dates you need then you'll not be able to find that information.

You could also review changes to the dates of the users profiles:
c:\users\<profileName>

It will record the time that the profile was last updated, which would happen anytime a user logged onto the server.

If he does required some monitoring going forward, then you can easily configure a startup script to record the date, time and user account that logged on.
0
 
btanExec ConsultantCommented:
Saw the Remote Desktop Gateway Manager which has the RDP store in event viewer, assuming has enabled audit using it.
http://technet.microsoft.com/en-us/library/cc772215.aspx
0
 
Sudeep SharmaTechnical DesignerCommented:
You could use Powershell Script to get the logon and logout information, a simple example would be like this:

Logon Events:
get-eventlog Security | where-object {$_.EventID -eq "4648"}

Logout Events
get-eventlog Security | where-object {$_.EventID -eq "4634"}
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
btanExec ConsultantCommented:
From the event log there would be many type of login, this can be helpful to sieve out specifically the "RemoteInteractive" type (  Logon Type: 10 )

http://ithompson.wordpress.com/2009/12/01/tracking-rdp-logons/
http://ithompson.wordpress.com/2008/06/06/windows-logon-types/

If you are thinking of event viewer, it will not help as much since it doesn’t give us the ability to look for anything in the event message body, such as the logon type. Script or SIEM can help as options
0
 
pma111Commented:
Is auditing enabled? If not, as suggested above one solution is to check MAC times on the profiles created in the users folder. You can also filter the security logs on ID:

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528

No idea if you harvest the logs centrally or if they have overwritten, perhaps you could get the evt files from a backup if it doesnt go back 3 months in the current file.
0
 
madTECHCAuthor Commented:
The TS hosts have provided a link to a page that provides user access (exc admin) information back for the last three months.  Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.