Solved

Event Logged when session stolen.

Posted on 2016-08-10
7
24 Views
Last Modified: 2016-08-15
Hey Experts,

We have an RDS farm which uses a gateway to distribute connections to servers.  My question is, is there an event logged for when a session is taken by another login?  (i.e. user johnsmith logs in from home stealing the session he left open at work)

If so, is that logged on the server level or gateway level and in which log?

Thanks!
0
Comment
Question by:Dustin Saunders
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 41750712
try this script, the IP address can tell you where a user logs on from.

http://gallery.technet.microsoft.com/scriptcenter/e8c3af96-db10-45b0-88e3-328f087a8700
0
 
LVL 12

Author Comment

by:Dustin Saunders
ID: 41750732
But how would I distinguish that it was a stolen session?  Wouldn't it look the same if they logged off vs had the session taken over at a different location?
0
 
LVL 37

Expert Comment

by:bbao
ID: 41750745
good question. :)

to be honest i didn't try that script before. if I was you, i would try it and compare the outputs of the two kinds of login.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Accepted Solution

by:
Dustin Saunders earned 0 total points
ID: 41751074
I believe this event is a determinant:
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"; ID=40}

Open in new window

When the reason code is 5.

I ran login/logoff tests on 3 users.  20 logins w/ 6 'stolen' sessions each and 14 log offs and the data lines up.
0
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41752217
Dustin,

Does that script must be executed on the terminal servers or can be executed remotely from our laptop ?
0
 
LVL 12

Author Comment

by:Dustin Saunders
ID: 41752240
It can be executed from a PC so long as you can reach the computer in question, but you need to invoke it in a PSSession.

$server = "TestServer123" #define the server to connect to
    $session = New-PSSession -ComputerName $server #Create a new remote PS Session.
    $events = Invoke-Command -Session $session -ScriptBlock {Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"; ID=40}}
    Remove-PSSession $session

Open in new window


This gives you the object $events which you can dump to a CSV, or do whatever with.
0
 
LVL 12

Author Closing Comment

by:Dustin Saunders
ID: 41756122
The event appears to be Event ID 40 from TerminalServices-LocalSessionManager\Operational where reason code is 5.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question