Audit Terminal Server Session

[Guest]

I would like to be able to log what station connect to the Windows 2000
server Via Terminal Server connection
For example I have couple of administrator who access the Windows 2000
server reomtely using administrator account. (We are working on policy not to
use the Admin account for login) mean while I would like to know what station
was used to connect to terminal server at what time of a day?
Is that possible or I need a 3rd party software. If so would you know any
3rd party software?
regards
mike

 

[Vera Noest [MVP]]

Just enable auditing of security events in your domain (Logon and
Logoff events: Success and Failure), and you will be able to see all
logon and logoff events in the Security tab of the EventViewer.

 

[Guest]

Thanks for you response:
I do have the auditing for logon and logoff enabled.
The problem is that when the administrator logs in to the server. In the
domain security event shows that administrator logged on and shows the server
name as workstation. I need to know the remote workstation name that connects
to terminal server.

I do appreciate your help on this matter.

Regards,

Mike M

 

[Vera Noest [MVP]]

Strange, I definitively recall seeing the clientname in the
EventLogs. But I'm mostly using 2003, so I could be mistaken. Will
check at work tomorrow.

In the meantime, you can also create your own simple textbased
logfile, by putting a line in your TS-specific login script. If
you don't have a TS login script, you can add this to the standard
login script UsrLogon.cmd, which is run for every TS-connection.

echo %username% %clientname% %date% %time% >> logon.log

195461 - How to Set Up a Logon Script Only for Terminal Server
Users
http://support.microsoft.com/?kbid=195461

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

 

[Vera Noest [MVP]]

I've just checked, and I see clientname and IPnumber in the
Logon/Logoff event, if I start a rdp session.
Both on Windows NT 4.0 TSE + Citrix and on Windows 2003 TS.

If the servername equals the workstation name, that would be a
console session.

--
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*

 

[Guest]

vera,
Thank you again for the info.
The logon script works fine.
I also tried to trun on the audit on the RDP-TCP session and that did not
work either. I do prefere to have all the logs with in eventlogs as I have a
database that holds all the log and make it easier for me to do search.

 

[Vera Noest [MVP]]

I don't really understand, Mike.
What do you mean with "audit on RDP-TCP... did not work"?
Don't you see the entries at all?
By the way, I mean the security EventLog on the TS, not on the DC.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

 

[Guest]

Dear Vera,
I went to Terminal Server Configuration and turned on the audit for the
administrator account for logon and logoff in RDP-TCP properties and still
did not show any thing in event log of the server.
Do I have to reboot the terminal server or stop and start the RDP-TCP
service for the audit to work?

Regards,
MikeM

 

[Vera Noest [MVP]]

Aaah! I'm talking about auditing for the whole server, or better
still, the domain.
You would configure this in your Default Domain Security Policy.
That should log all the info you need in the EventLog on the TS.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---