Menu

Want to work with us? We're on the lookout for a UX/UI Designer and Digital Project Manager.

We're hiring

Logging RDP Access on Windows Server 2003

Web Bureau


28 February 2013 by Web Bureau

If you don't already have account logon events audited, then turning it on is not going to help you determine who has logged on to the server already

Look in the Security Event Log for a Logon/Logoff Event 528, Logon Type 10

You can also setup an Audit Policy using the Group Policy editor to log logon success and failures. Go to Run and type gpedit.msc

Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies -> Audit logon events. Right click and select properties.

You can find the IP address of the usr by the following:

In the text of the Event ID 528\Type 10 log entry you'll see the Source Network Address. This is the ip address that the client connected from. Note that this is the public ip address the client connection came from and is going to be the public ip address that the client's internal ip address is being NAT'ed to. You won't see the client's internal ip address in the log, but you can see it on the information tab when viewing a users connection in TS manager

Grow your businessStart a project with us today.