Remote Desktop Reports (who logged in and logged out on the server for last 24 hours)

hi,

i am looking for the solution for the remote desktop users on a particular server, how many users logged in, logged out, with time of logging in and logging out.

actually i want to make a report of check and balance that which user logged into the server and why ? why the user logged in and logged out and how long it took user to logged into the server.

 

is there any way to get this report or any software, script or command ? to get the result out.

thanks in advance

 

Regards

Owais

November 8th, 2010 1:58pm

Hi Owais - your best bet would probably be TSLog solution:

http://www.terminalserviceslog.com/

Great product and great people behind it too!

Free Windows Admin Tool Kit Click here and download it now
November 8th, 2010 9:15pm

Hi,

 

 

There are several methods for this requirements:

 

Method 1:

 

You can try to enable the policy "Audit logon events" and then we can audit the user logon/logoff events in the security log.  

 

To enable the policy "Audit logon events", please perform the following steps:

 

1. Logon Domain Controller using domain administrator.

 

2. Open default domain controller policy or create a new GPO at domain level.

 

3. Click Local Computer Policy, click Computer Configuration, and then click Windows Settings->Security Settings->Local Policies->Audit Policy->Double click Audit logon events and Audit Account Logon Events->Select Success and Failure.  Click OK.

 

You can find the following information from the Windows Server 2003 Security Guide:

 

 

Audit Account Logon Events

 

Determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails.

 

If success auditing for account logon events is enabled on a domain controller, an entry is logged for each user who is validated against that domain controller, even though the user is actually logging on to a workstation that is joined to the domain.

 

Audit Logon Events

 

Determines whether to audit each instance of a user logging on to, logging off from, or making a network connection to this computer. If you are logging successful account logon audit events on a domain controller, workstation logon attempts do not generate logon audits. Only interactive and network logon attempts to the domain controller itself generate logon events. In short, "account logon events" are generated where the account lives; "logon events" are generated where the logon attempt occurs.

 

If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.

 

Windows Server 2003 Security Guide

 

http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en

 

 

Method 2:

 

 

 

You can also add some lines to the logon and log off script to write something to the server share log file.

 

@echo off

 

echo [%date%  %time%] >>\\server\share\logon.log

 

echo %username% log on %computername% to damain: %userdomain% >>\\server\share\logon.log

 

NOTE: you may need to give write permission to everyone to get the log accessed by all users.

 

 

 

Method 3:

 

We can use a new tool called LimitLogin.

 

LimitLogin v1.0 is an application that adds the ability to limit concurrent interactive user logons in an Active Directory domain. It can also keep track of all logins information in Active Directory domains (without necessarily enforcing logons quotas).

LimitLogin capabilities include:

 

l  Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions.

l  Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to).

l  Easy management and configuration by integrating to the Active Directory MMC snap-ins.

l  Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in.

l  Generating Login information reports in CSV (Excel) and XML formats.

 

Please keep in mind that this tool is Not Supported (similar to a resource kit tools).

 

More information regarding this tool is available in:

http://technet.microsoft.com/en-us/magazine/cc160794.aspx

 

Hope it helps.

November 9th, 2010 6:51am

Hello Alan,

I have to monitor and provide daily report for failed RDP logon for all servers in one particular OU (Win2003, 2003R2,2008,2008R2).

Should I enable "Audit logon - Failure" only on DCs or on all Servers from OU?

I have found following script to prepare report automatically:

#Here we flesh out some variables
$Date= Get-date      
$DC= "2K8R2.foo.org"
$Report= "c:\temp\report.html"

#Here we create a web template
$HTML=@"
<title>Event Logs Report</title>
<style>
BODY{background-color :#FFFFF}
TABLE{Border-width:thin;border-style: solid;border-color:Black;border-collapse: collapse;}
TH{border-width: 1px;padding: 1px;border-style: solid;border-color: black;background-color: ThreeDShadow}
TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color: Transparent}
</style>
"@

#Get the event log, then extract some properties
$eventsDC = Get-Eventlog security -Computer $DC -InstanceId 4771 -After (Get-Date).AddDays(-1) |
   Select TimeGenerated,ReplacementStrings |
   % {
   $IPAddress = (($_.ReplacementStrings[6]).Remove(0,7))
   $Hostname = ([System.Net.Dns]::GetHostByAddress($IPAddress) | select Hostname)
   $hostname = (($Hostname.hostname).replace(".foo.org",""))
   New-Object PSObject -Property @{
     UserName = $_.ReplacementStrings[0]
            Source_Computer = $hostname
            IP_Address = (($_.ReplacementStrings[6]).Remove(0,7))
            Date = $_.TimeGenerated
    } #End NewObject -Property
   } #End Foreach

#Inject the object created above into an HTML page
$eventsDC | ConvertTo-Html -Property Date,Source_Computer,IP_Address,UserName -head $HTML -body "<H2>Generated On $Date</H2>"| Out-File $Report -Append

#Mail the page, and then delete the original
$Text = "Password Failures from $DC"
Send-Mailmessage -from "administrator@foo.org" -to administrator@foo.org -subject $Text -smtpserver MailServer01 -body $Text -attachments $Report
del $report

Thank you

Alex

Free Windows Admin Tool Kit Click here and download it now
June 27th, 2013 8:10pm

I wrote this script for a customer.  The Output will be on your desktop when finished.

RDPConnectionParser.ps1

https://gallery.technet.microsoft.com/Remote-Desktop-Connection-3fe225cd

Sample Output:

Remote Desktop PowerShell Connection Report

April 8th, 2015 10:10pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics