Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Client address logging in Terminal server

Status
Not open for further replies.
StefBez

StefBez

Technical User
Joined
Jan 28, 2003
Messages
3
Location
ZA
Hi,

I think somebody snatched my admin username and password. In order to catch this guy I need log files to prove my theory.

I need to log account logon's which I am already doing. Problem is that it logs username as "admin" and workstation as "my terminal server" or the server running terminal services in remote administration mode. I need to trace it to the client machine name or ip address from which the person connected to the server using terminal server client. I see winsta.exe shows you the connection and also "connected from". This is typically what I need, but I need the server and all the servers in my domain to log this. Winsta.exe is very limited for this reason. It cannot log and you need to run it on every server.

Is there some way to get this info into a logfile or event viewer?

Any help please!

Stef
 
Sort by date Sort by votes
You could monitor the counter Terminal Services Session in perfmon. You can then save the chart as an html file. CitrixEngineer@yahoo.co.uk
 
Upvote 0 Downvote
No,

This only gives you number of active sessions, errors and so on. I need to know the client's ip address or workstation name.
 
Upvote 0 Downvote
This information is shown in Terminal Services Manager. The event log will capture IP addresses of clients logging in, with auditing enabled, But if you're not running Service Pack 3 then it will capture the client's IP address instead of any NAT device (the true source) - Q324956

netstat should resolve the IP address easily enough, or you could use windump
Hope this is helpful CitrixEngineer@yahoo.co.uk
 
Upvote 0 Downvote
I set the group policy to audit logon events and account logon events, success and failure.
I also added the "everyone" group to auditing under the RDP properties (in terminal server configuration), permissions, advanced, auditing tab, and selected everything there is to audit.
(things like logon, logoff, reset, connect, and so on..)

In the eventlogs I only get the id used to log on, and the workstation is logged as the terminal server itself. When a user disconnects or reconnects to a session his ip address is logged. It is not logged when he does a new logon and a new session is created.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
908
Aquiles Vidal
Aquiles Vidal
MaioMaio
  • Locked
  • Question Question
Server Remote Desktop License
Replies
0
Views
712
MaioMaio
MaioMaio
pomazip
  • Locked
  • Question Question
Windows Server 2019 mac address issue
Replies
2
Views
1K
pomazip
pomazip
ravalos
  • Locked
  • Question Question
Problem with PDFs in IIS
Replies
1
Views
2K
gbaughma
gbaughma
antonio_dsanchez
  • Locked
  • Question Question
post-installation WSUS windows server 2016
Replies
0
Views
743
antonio_dsanchez
antonio_dsanchez

Part and Inventory Search

Sponsor

Back
Top