28 February 2013 by Web Bureau
If you don't already have account logon events audited, then turning it on is not going to help you determine who has logged on to the server already
Look in the Security Event Log for a Logon/Logoff Event 528, Logon Type 10
You can also setup an Audit Policy using the Group Policy editor to log logon success and failures. Go to Run and type gpedit.msc
Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies -> Audit logon events. Right click and select properties.
You can find the IP address of the usr by the following:
In the text of the Event ID 528\Type 10 log entry you'll see the Source Network Address. This is the ip address that the client connected from. Note that this is the public ip address the client connection came from and is going to be the public ip address that the client's internal ip address is being NAT'ed to. You won't see the client's internal ip address in the log, but you can see it on the information tab when viewing a users connection in TS manager