Terminal server log

  • Thread starter Thread starter RedFoxy
  • Start date Start date
R

RedFoxy

Guest
Hi all!
I need to know if a windows 2003 SBS (the full version with SQL not the
standard version) logs Terminal server connections and where are the
logs, i need to know the ip address of a connection by terminal server
and if is possible, what they do like data transfer and similar, I'm
reading the event log of windows, but i don't foun anything of strange,
i found only some try of a terminal server connection that try to
connect some printers that server don't know and it haven't the right
drivers...
The windows 2003 server SBS is just installed, i haven't changed any
policy about log on and terminal server and windows have all windows
updated.

Thank's for all!
 
Re: Terminal server log

The only place where you can see this is in the Security EventLog, if
you have enabled auditing of logon and logoff events.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in
microsoft.public.windows.terminal_services:

> Hi all!
> I need to know if a windows 2003 SBS (the full version with SQL
> not the standard version) logs Terminal server connections and
> where are the logs, i need to know the ip address of a
> connection by terminal server and if is possible, what they do
> like data transfer and similar, I'm reading the event log of
> windows, but i don't foun anything of strange, i found only some
> try of a terminal server connection that try to connect some
> printers that server don't know and it haven't the right
> drivers... The windows 2003 server SBS is just installed, i
> haven't changed any policy about log on and terminal server and
> windows have all windows updated.
>
> Thank's for all!
 
Re: Terminal server log

Vera Noest [MVP] ha scritto:
> The only place where you can see this is in the Security EventLog, if
> you have enabled auditing of logon and logoff events.
>


I don't changed the policy, the server is just installed and i don't
think that audit is enabled...

there isn't anotehr way to know the ip address?
 
Re: Terminal server log


Hi,

You can then filter the logon events in the security eventlog logon type 10
RemoteInteractive
A user logged on to this computer remotely using Terminal Services or Remote Desktop.



Below here the complete list of logon types...

Logon type
Logon title
Description

2
Interactive
A user logged on to this computer.

3
Network
A user or computer logged on to this computer from the network.

4
Batch
The batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

5
Service
A service was started by the Service Control Manager.

7
Unlock
This workstation was unlocked.

8
NetworkCleartext
A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

9
NewCredentials
A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

10
RemoteInteractive
A user logged on to this computer remotely using Terminal Services or Remote Desktop.

11
CachedInteractive
A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.






Regards,

_____________________________
Piet van Dongen

MCSA, MCSE, MCTS, MCDBA, MCP
CCA, CCEA, CCSP
RPFCP, RWCP, RCP
_____________________________


"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> schreef in bericht news:Xns9A6BA30087315veranoesthemutforsse@207.46.248.16...
> The only place where you can see this is in the Security EventLog, if
> you have enabled auditing of logon and logoff events.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in
> microsoft.public.windows.terminal_services:
>
>> Hi all!
>> I need to know if a windows 2003 SBS (the full version with SQL
>> not the standard version) logs Terminal server connections and
>> where are the logs, i need to know the ip address of a
>> connection by terminal server and if is possible, what they do
>> like data transfer and similar, I'm reading the event log of
>> windows, but i don't foun anything of strange, i found only some
>> try of a terminal server connection that try to connect some
>> printers that server don't know and it haven't the right
>> drivers... The windows 2003 server SBS is just installed, i
>> haven't changed any policy about log on and terminal server and
>> windows have all windows updated.
>>
>> Thank's for all!
 
Re: Terminal server log

"Piet van Dongen" <piet_van_dongen@hotmail.com> schreef in bericht news:7F377F22-6008-43AD-A6A9-5BA5D7DFE1C6@microsoft.com...

Hi,

You can then filter the logon events in the security eventlog "logon type 10 RemoteInteractive" => A user logged on to this computer remotely using Terminal Services or Remote Desktop.

Below here the complete list of the different logon types...

Logon typeLogon titleDescription
2InteractiveA user logged on to this computer.
3NetworkA user or computer logged on to this computer from the network.
4BatchThe batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5ServiceA service was started by the Service Control Manager.
7UnlockThis workstation was unlocked.
8NetworkCleartextA user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9NewCredentialsA caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10RemoteInteractiveA user logged on to this computer remotely using Terminal Services or Remote Desktop.
11CachedInteractiveA user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.





Regards,

_____________________________
Piet van Dongen

MCSA, MCSE, MCTS, MCDBA, MCP
CCA, CCEA, CCSP
RPFCP, RWCP, RCP
_____________________________


"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> schreef in bericht news:Xns9A6BA30087315veranoesthemutforsse@207.46.248.16...
> The only place where you can see this is in the Security EventLog, if
> you have enabled auditing of logon and logoff events.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in
> microsoft.public.windows.terminal_services:
>
>> Hi all!
>> I need to know if a windows 2003 SBS (the full version with SQL
>> not the standard version) logs Terminal server connections and
>> where are the logs, i need to know the ip address of a
>> connection by terminal server and if is possible, what they do
>> like data transfer and similar, I'm reading the event log of
>> windows, but i don't foun anything of strange, i found only some
>> try of a terminal server connection that try to connect some
>> printers that server don't know and it haven't the right
>> drivers... The windows 2003 server SBS is just installed, i
>> haven't changed any policy about log on and terminal server and
>> windows have all windows updated.
>>
>> Thank's for all!
 
Re: Terminal server log

RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in
microsoft.public.windows.terminal_services:

> Vera Noest [MVP] ha scritto:
>> The only place where you can see this is in the Security
>> EventLog, if you have enabled auditing of logon and logoff
>> events.
>>

>
> I don't changed the policy, the server is just installed and i
> don't think that audit is enabled...
>
> there isn't anotehr way to know the ip address?


No, if you haven't enabled auditing of security events, there's no
other place on the TS where you can find this information.

If you are trying to investigate an unauthorized connection from
outside your LAN, you should check the logs in your firewall.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Re: Terminal server log

Piet van Dongen ha scritto:
> "Piet van Dongen" <piet_van_dongen@hotmail.com> schreef in bericht
> news:7F377F22-6008-43AD-A6A9-5BA5D7DFE1C6@microsoft.com...
>
> Hi,
>
> You can then filter the logon events in the security eventlog "logon
> type 10 RemoteInteractive" => A user logged on to this computer remotely
> using Terminal Services or Remote Desktop.


i haven't "logon type", i've type, date, hour, origin, category, event,
username, computer.

How can I active the auditing?
 
Re: Terminal server log

Vera Noest [MVP] ha scritto:
> RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in
> microsoft.public.windows.terminal_services:
>
>> Vera Noest [MVP] ha scritto:
>>> The only place where you can see this is in the Security
>>> EventLog, if you have enabled auditing of logon and logoff
>>> events.
>>>

>> I don't changed the policy, the server is just installed and i
>> don't think that audit is enabled...
>>
>> there isn't anotehr way to know the ip address?

>
> No, if you haven't enabled auditing of security events, there's no
> other place on the TS where you can find this information.
>
> If you are trying to investigate an unauthorized connection from
> outside your LAN, you should check the logs in your firewall.



How can I active the auditing?
 
Re: Terminal server log

Vera Noest [MVP] ha scritto:
> RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in
> microsoft.public.windows.terminal_services:
>
>> Vera Noest [MVP] ha scritto:
>>> The only place where you can see this is in the Security
>>> EventLog, if you have enabled auditing of logon and logoff
>>> events.
>>>

>> I don't changed the policy, the server is just installed and i
>> don't think that audit is enabled...
>>
>> there isn't anotehr way to know the ip address?

>
> No, if you haven't enabled auditing of security events, there's no
> other place on the TS where you can find this information.
>
> If you are trying to investigate an unauthorized connection from
> outside your LAN, you should check the logs in your firewall.



Thank you to all, i solve my troubles enabling the audit and windows
show me old ip address
 
Back
Top