Want to work with us? We're on the lookout for digital experts.

We're hiring

Logging RDP Access on Windows Server 2003

Web Bureau

28 February 2013 by Web Bureau

If you don't already have account logon events audited, then turning it on is not going to help you determine who has logged on to the server already

Look in the Security Event Log for a Logon/Logoff Event 528, Logon Type 10

You can also setup an Audit Policy using the Group Policy editor to log logon success and failures. Go to Run and type gpedit.msc

Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies -> Audit logon events. Right click and select properties.

You can find the IP address of the usr by the following:

In the text of the Event ID 528\Type 10 log entry you'll see the Source Network Address. This is the ip address that the client connected from. Note that this is the public ip address the client connection came from and is going to be the public ip address that the client's internal ip address is being NAT'ed to. You won't see the client's internal ip address in the log, but you can see it on the information tab when viewing a users connection in TS manager

Grow your businessStart a project with us today.

This site uses essential cookies for parts of the site to operate and have already been set. Find out more about how we use cookies and how you may delete them. You may delete cookies, but parts of the site will not work.