[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Event Logged when session stolen.

Posted on 2016-08-10
7
Medium Priority
?
35 Views
Last Modified: 2016-08-15
Hey Experts,

We have an RDS farm which uses a gateway to distribute connections to servers.  My question is, is there an event logged for when a session is taken by another login?  (i.e. user johnsmith logs in from home stealing the session he left open at work)

If so, is that logged on the server level or gateway level and in which log?

Thanks!
0
Comment
Question by:Dustin Saunders
  • 4
  • 2
7 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 41750712
try this script, the IP address can tell you where a user logs on from.

http://gallery.technet.microsoft.com/scriptcenter/e8c3af96-db10-45b0-88e3-328f087a8700
0
 
LVL 16

Author Comment

by:Dustin Saunders
ID: 41750732
But how would I distinguish that it was a stolen session?  Wouldn't it look the same if they logged off vs had the session taken over at a different location?
0
 
LVL 37

Expert Comment

by:bbao
ID: 41750745
good question. :)

to be honest i didn't try that script before. if I was you, i would try it and compare the outputs of the two kinds of login.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 16

Accepted Solution

by:
Dustin Saunders earned 0 total points
ID: 41751074
I believe this event is a determinant:
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"; ID=40}

Open in new window

When the reason code is 5.

I ran login/logoff tests on 3 users.  20 logins w/ 6 'stolen' sessions each and 14 log offs and the data lines up.
0
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41752217
Dustin,

Does that script must be executed on the terminal servers or can be executed remotely from our laptop ?
0
 
LVL 16

Author Comment

by:Dustin Saunders
ID: 41752240
It can be executed from a PC so long as you can reach the computer in question, but you need to invoke it in a PSSession.

$server = "TestServer123" #define the server to connect to
    $session = New-PSSession -ComputerName $server #Create a new remote PS Session.
    $events = Invoke-Command -Session $session -ScriptBlock {Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"; ID=40}}
    Remove-PSSession $session

Open in new window


This gives you the object $events which you can dump to a CSV, or do whatever with.
0
 
LVL 16

Author Closing Comment

by:Dustin Saunders
ID: 41756122
The event appears to be Event ID 40 from TerminalServices-LocalSessionManager\Operational where reason code is 5.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question