Solved

Event Logged when session stolen.

Posted on 2016-08-10
7
23 Views
Last Modified: 2016-08-15
Hey Experts,

We have an RDS farm which uses a gateway to distribute connections to servers.  My question is, is there an event logged for when a session is taken by another login?  (i.e. user johnsmith logs in from home stealing the session he left open at work)

If so, is that logged on the server level or gateway level and in which log?

Thanks!
0
Comment
Question by:Dustin Saunders
  • 4
  • 2
7 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 41750712
try this script, the IP address can tell you where a user logs on from.

http://gallery.technet.microsoft.com/scriptcenter/e8c3af96-db10-45b0-88e3-328f087a8700
0
 
LVL 12

Author Comment

by:Dustin Saunders
ID: 41750732
But how would I distinguish that it was a stolen session?  Wouldn't it look the same if they logged off vs had the session taken over at a different location?
0
 
LVL 37

Expert Comment

by:bbao
ID: 41750745
good question. :)

to be honest i didn't try that script before. if I was you, i would try it and compare the outputs of the two kinds of login.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 12

Accepted Solution

by:
Dustin Saunders earned 0 total points
ID: 41751074
I believe this event is a determinant:
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"; ID=40}

Open in new window

When the reason code is 5.

I ran login/logoff tests on 3 users.  20 logins w/ 6 'stolen' sessions each and 14 log offs and the data lines up.
0
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41752217
Dustin,

Does that script must be executed on the terminal servers or can be executed remotely from our laptop ?
0
 
LVL 12

Author Comment

by:Dustin Saunders
ID: 41752240
It can be executed from a PC so long as you can reach the computer in question, but you need to invoke it in a PSSession.

$server = "TestServer123" #define the server to connect to
    $session = New-PSSession -ComputerName $server #Create a new remote PS Session.
    $events = Invoke-Command -Session $session -ScriptBlock {Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"; ID=40}}
    Remove-PSSession $session

Open in new window


This gives you the object $events which you can dump to a CSV, or do whatever with.
0
 
LVL 12

Author Closing Comment

by:Dustin Saunders
ID: 41756122
The event appears to be Event ID 40 from TerminalServices-LocalSessionManager\Operational where reason code is 5.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question