Dustin Saunders
asked on
Event Logged when session stolen.
Hey Experts,
We have an RDS farm which uses a gateway to distribute connections to servers. My question is, is there an event logged for when a session is taken by another login? (i.e. user johnsmith logs in from home stealing the session he left open at work)
If so, is that logged on the server level or gateway level and in which log?
Thanks!
We have an RDS farm which uses a gateway to distribute connections to servers. My question is, is there an event logged for when a session is taken by another login? (i.e. user johnsmith logs in from home stealing the session he left open at work)
If so, is that logged on the server level or gateway level and in which log?
Thanks!
ASKER
But how would I distinguish that it was a stolen session? Wouldn't it look the same if they logged off vs had the session taken over at a different location?
good question. :)
to be honest i didn't try that script before. if I was you, i would try it and compare the outputs of the two kinds of login.
to be honest i didn't try that script before. if I was you, i would try it and compare the outputs of the two kinds of login.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Dustin,
Does that script must be executed on the terminal servers or can be executed remotely from our laptop ?
Does that script must be executed on the terminal servers or can be executed remotely from our laptop ?
ASKER
It can be executed from a PC so long as you can reach the computer in question, but you need to invoke it in a PSSession.
This gives you the object $events which you can dump to a CSV, or do whatever with.
$server = "TestServer123" #define the server to connect to
$session = New-PSSession -ComputerName $server #Create a new remote PS Session.
$events = Invoke-Command -Session $session -ScriptBlock {Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"; ID=40}}
Remove-PSSession $session
This gives you the object $events which you can dump to a CSV, or do whatever with.
ASKER
The event appears to be Event ID 40 from TerminalServices-LocalSess ionManager \Operation al where reason code is 5.
http://gallery.technet.microsoft.com/scriptcenter/e8c3af96-db10-45b0-88e3-328f087a8700