Sign in with
Sign up | Sign in
Your question

audit a terminal services session on W2K Advanced Server

Tags:
  • Terminal
  • Servers
  • Windows
Last response: in Windows 2000/NT
Share
July 15, 2004 1:54:56 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,
Do you know if it is possible to audit the terminal
services session to a server.
Can I know when and from which PC the user logon with a
terminal services?

Thanks

More about : audit terminal services session w2k advanced server

Anonymous
July 19, 2004 10:02:00 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

Thank you for posting.

I understand that you want to enable the auditing for terminal server.

Please try the following suggestions:

Enable audit for rdp-tcp connection in Terminal Services Configuration.
After enable audit for RDP-TCP, it's better to restart the server to take
the
settings into effect. Then in the security event log, study the following
events:

Event 528 for logon (the logon type should be 2)
Event 538 for logoff (the logon type should be 2)
Event 683 for session disconnection
Event 682 for session reconnection

The logon/logoff event will not state whether it's via local console or
terminal session.

During the research, I found the following script which logs the user name
and the system name of the client from where the logon was initiated. It
stores the information in application log and the source as WSH.

'Script to Audit logon events on terminal server
'Auditlogon.vbs
Set Net = CreateObject("WScript.Network")
Set Sh = CreateObject("WScript.Shell")
User = Net.Username
Remote = Sh.ExpandEnvironmentStrings("%Clientname%")
Sh.LogEvent 4, User & " Logged on from " & Remote & "."
'OR
'To log at what time the login took place
Sh.LogEvent 4, Now & ":" & User & " Logged on from " & Remote & "."

This can be saved as a VBS file and called from usrlogon.cmd; it will
automatically write the user's name and the name of the client system to
the event log. It will show up in the Application log with the source
shown as WSH

I hope the above information helps. If there is anything unclear, please
feel free to let me know. Thank you and have a nice day!

Rashmi

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Content-Class: urn:content-classes:message
| From: "mb" <anonymous@discussions.microsoft.com>
| Sender: "mb" <anonymous@discussions.microsoft.com>
| Subject: audit a terminal services session on W2K Advanced Server
| Date: Thu, 15 Jul 2004 09:54:56 -0700
| Lines: 8
| Message-ID: <2da0201c46a8c$7545f060$a401280a@phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcRqjHVDrFqjCRIuTue2OvujKA49qQ==
| Newsgroups: microsoft.public.win2000.security
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29577
| NNTP-Posting-Host: tk2msftngxa12.phx.gbl 10.40.1.164
| X-Tomcat-NG: microsoft.public.win2000.security
|
| Hi,
| Do you know if it is possible to audit the terminal
| services session to a server.
| Can I know when and from which PC the user logon with a
| terminal services?
|
| Thanks
|
|
!