The first time I used these logs is when I was running an audit to figure out whether a specific user has recently accessed my server using Remote Desktop Connection.
In order to identify who has recently had a full session remotely running on your server, you: look at the events located at these two places:
Event Viewer > Application and Service logs > Microsoft > Windows > TerminalServices – Local SessionManager > Operational
Event Viewer > Application and Service logs > Microsoft > Windows > TerminalServices – RemoteConnectionManager > Operational
To have any events logged in here, you have to at least have these things in place:
- You must be running the Windows Feature AppServer (Terminal Services Application Server)
- The specified logs must be enabled.
With these conditions in place, these logs show give you the user names and computer names of all Remote Desktop sessions that have taken place between your computer and other client devices for a certain duration of time. Of course the length of the log depends on the properties you have set for the logs (e.g. Enabled logging, Maximum log size, what to do when maximum event log size is reached, etc.).
Please note that these logs can also be used to diagnose and troubleshoot RDS sessions that disconnect in an apparently random way.
One other place you can check is your Event Viewer > Windows Logs > Security which should have audit log of successful and failed logons if you had activated the “Audit logon events” in Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy snap-in.
Finally, a rather simple way you can go about it is by using the command line as an administrator and typing the following command (more about it at the Windows Command Line reference below):
net user username | findstr /B /C:"Last logon"
Do you know of any other ways to achieve this audit? Please let us know in the comment section.
Some other useful resources include: