We have contractors periodically remoting into our production servers and goodness know what changes that they could potentially make. So What can I use to log when users log on or off a server(s)?
Windows Server 2003
AD Domain
Audit when users log on and off servers
group-policyremote desktopwindows-event-logwindows-server-2003
Related Solutions
I found this article mentioning a registry entry which could be the culprit:
With scheduled updates, administrators will be given a five-minute interval to decide whether to postpone installation, once the update files are downloaded (which will delay it until the next restart or scheduled interval -- depending on registry settings). If the installation requires a reboot (which is frequently the case) a user will be presented with a modal (i.e., positioned in front of the other windows) dialog box reminding her of the need to reboot (by default, the reboot will not be forced, although this can be changed by modifying the registry entry).
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\ Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers
The logoff could trigger the postponed automatic reboot.
See also this blog post: "Is Windows Automatic Update Client rebooting your system unexpectedly? Read this to “fix” it…".
In the first bit of your post it sounds like somebody had already configured a "Restricted Groups Policy" for the "Remote Desktop Users" group, which explains why it "emptied out". That's not a stock OS feature-- somebody configured that at some point. You got around it by either modifying the GPO that was "emptying out" the group, or by making a new GPO that applied after the existing "Restricted Groups"-containing GPO to override the setting.
The next bit-- the "You do not have access to logon to this session" bit is a bit more confusing. I've been trying to repro it on a Windows Server 2003 SP2 32-bit Std. machine for a bit now, and I can't come up with a repro condition.
If you would, open the "Terminal Services Configuration" tool on the machine, highlight the "Connections" node in the left pane, and bring up the "Properties" of the "RDP-Tcp" object in the right pane. Have a look at the "Permissions" tab and see that "Remote Desktop Users" is granted "User Access" and "Guest Access" (the stock permission).
Failing that, I'm not sure w/o being able to repro it. What service pack level are you running of W2K3?
(BTW: I've got a similiar background to you-- I started on Unix and moved over to Windows grudgingly. Group Policy is incredibly useful once you get over the quirks. I script Windows machines like a mad man because I can't stand to do the same work more than once. The built-in Windows command shell is utterly inferior to any Unix shell, but it can be coaxed into performing most tasks...)
Edit:
Oh-- they're Windows XP machines. I didn't realize that. That changes things. I thought these were servers you were trying to access w/ RDP.
My psychic powers say that you're seeing the "You do not have access to logon to this session" message because there is someone already logged-on to the PC and the user logging-on with RDP doesn't have "Administrator" rights on the Windows XP machine. Windows XP can only host one RDP / console session at a time, and if someone is already logged-on only an "Administrator" user can remotely "bump them off" with RDP. All other users attempting to logon w/ RDP will receive the message you described above.
How does that look?
To investigate the "Restricted Groups" policy more, run the RSoP tool on the WinXP clients and see if there are any GPOs enforcing a "Restricted Groups" setting on "Remote Desktop Users". In a network I setup, for example, there would be. It's a common way to grant groups access to RDP on clients.
Best Answer
Audit Logon Events So I looked around and discovered you can make a group policy (and apply it to your production server OU) that can audit logon events, in other words Write an event log when people log on or off your server.
To do so, Open Group Policy Management, Then create a new group policy object in the "Group Policy Objects folder" Give it a descriptive name. Audit_Remote_logons seems good enough for me. Then go "Computer Configuration --> Policies --> Windows Settings --> Security --> Local Policy --> Audit Policy --> Then open Audit Logon Events and then enable "Success" and "Failure"
Now link the GPO the the OUs you want this enabled for.
Optionally, run "GPUdate /force" on your production servers. After this policy has been applied you can go into your security events logs and view the successful logon/logoff events.