windows server last access timestamp (RDP)

pma111
pma111 used Ask the Experts™
on
Is there a relatively easy way to determine the last time an officer last logged on (e.g RDP) to a windows server? I need to verify a list of officers with admin access to a server and need some stats on last access to help flag potential inappropriate assignment of admin rights.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Huig GuijtSystem Administrator

Commented:
You would have to enable auditing of logon events on every RDS Host.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events

Then monitor our forward your event log for event 528.
Distinguished Expert 2018
Commented:
If this is about domain accounts: domain controllers would log logon events by default (starting with server 2008). So you could use their security event logs, if they date back that far. Open it and search for the account name. Or parse the log using powershell (sorry, no script example at hand).
If you have auditing enabled then you will have events in the event logs and also you can configure an alert, looking for those particular events.

Check if this point you:

How to keep track of privileged user accounts in Active Directory:
https://community.spiceworks.com/how_to/128307-how-to-keep-track-of-privileged-user-accounts-in-active-directory

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial