Archived from groups: microsoft.public.win2000.security (More info?)
Thank you for posting.
I understand that you want to enable the auditing for terminal server.
Please try the following suggestions:
Enable audit for rdp-tcp connection in Terminal Services Configuration.
After enable audit for RDP-TCP, it's better to restart the server to take
settings into effect. Then in the security event log, study the following
Event 528 for logon (the logon type should be 2)
Event 538 for logoff (the logon type should be 2)
Event 683 for session disconnection
Event 682 for session reconnection
The logon/logoff event will not state whether it's via local console or
During the research, I found the following script which logs the user name
and the system name of the client from where the logon was initiated. It
stores the information in application log and the source as WSH.
'Script to Audit logon events on terminal server
Set Net = CreateObject("WScript.Network")
Set Sh = CreateObject("WScript.Shell")
User = Net.Username
Remote = Sh.ExpandEnvironmentStrings("%Clientname%")
Sh.LogEvent 4, User & " Logged on from " & Remote & "."
'To log at what time the login took place
Sh.LogEvent 4, Now & ":" & User & " Logged on from " & Remote & "."
This can be saved as a VBS file and called from usrlogon.cmd; it will
automatically write the user's name and the name of the client system to
the event log. It will show up in the Application log with the source
shown as WSH
I hope the above information helps. If there is anything unclear, please
feel free to let me know. Thank you and have a nice day!
This posting is provided "AS IS" with no warranties, and confers no rights.
| Content-Class: urn:content-classes:message
| From: "mb" <firstname.lastname@example.org>
| Sender: "mb" <email@example.com>
| Subject: audit a terminal services session on W2K Advanced Server
| Date: Thu, 15 Jul 2004 09:54:56 -0700
| Lines: 8
| Message-ID: <firstname.lastname@example.org>
| MIME-Version: 1.0
| Content-Type: text/plain;
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcRqjHVDrFqjCRIuTue2OvujKA49qQ==
| Newsgroups: microsoft.public.win2000.security
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29577
| NNTP-Posting-Host: tk2msftngxa12.phx.gbl 10.40.1.164
| X-Tomcat-NG: microsoft.public.win2000.security
| Do you know if it is possible to audit the terminal
| services session to a server.
| Can I know when and from which PC the user logon with a
| terminal services?