• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 62
  • Last Modified:

Event Logged when session stolen.

Hey Experts,

We have an RDS farm which uses a gateway to distribute connections to servers.  My question is, is there an event logged for when a session is taken by another login?  (i.e. user johnsmith logs in from home stealing the session he left open at work)

If so, is that logged on the server level or gateway level and in which log?

Thanks!
0
Dustin Saunders
Asked:
Dustin Saunders
  • 4
  • 2
1 Solution
 
bbaoIT ConsultantCommented:
try this script, the IP address can tell you where a user logs on from.

http://gallery.technet.microsoft.com/scriptcenter/e8c3af96-db10-45b0-88e3-328f087a8700
0
 
Dustin SaundersDirector of OperationsAuthor Commented:
But how would I distinguish that it was a stolen session?  Wouldn't it look the same if they logged off vs had the session taken over at a different location?
0
 
bbaoIT ConsultantCommented:
good question. :)

to be honest i didn't try that script before. if I was you, i would try it and compare the outputs of the two kinds of login.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Dustin SaundersDirector of OperationsAuthor Commented:
I believe this event is a determinant:
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"; ID=40}

Open in new window

When the reason code is 5.

I ran login/logoff tests on 3 users.  20 logins w/ 6 'stolen' sessions each and 14 log offs and the data lines up.
0
 
Senior IT System EngineerIT ProfessionalCommented:
Dustin,

Does that script must be executed on the terminal servers or can be executed remotely from our laptop ?
0
 
Dustin SaundersDirector of OperationsAuthor Commented:
It can be executed from a PC so long as you can reach the computer in question, but you need to invoke it in a PSSession.

$server = "TestServer123" #define the server to connect to
    $session = New-PSSession -ComputerName $server #Create a new remote PS Session.
    $events = Invoke-Command -Session $session -ScriptBlock {Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"; ID=40}}
    Remove-PSSession $session

Open in new window


This gives you the object $events which you can dump to a CSV, or do whatever with.
0
 
Dustin SaundersDirector of OperationsAuthor Commented:
The event appears to be Event ID 40 from TerminalServices-LocalSessionManager\Operational where reason code is 5.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now