Remote Desktop Services login history

eventviewerremote-desktop-servicesterminal-serverwindows-server-2008-r2

Is it possible to generate a report of past user logins to a Windows Server 2008 Remote Desktop Services server?

The closest Event Viewer logs I can find are under Application and Services Logs –> Microsoft –> Windows –> TerminalServices-RemoteConnectionManager. These logs are good, however you cannot display the user account for each login event (Event ID 1149).

Any ideas out there?

Best Answer

You can use a script to collect this information. Not as ideal/simple, but it will get the job done. Here is a Powershell script that should work on Windows 7/Server 2008r2 or higher (this code can be further cleaned up on newer Powershell versions, but I have kept it as-is for backwards compatibility):

$LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
$Results = @()
$Events = Get-WinEvent -LogName $LogName
foreach ($Event in $Events) {
    $EventXml = [xml]$Event.ToXML()

    $ResultHash = @{
        Time        = $Event.TimeCreated.ToString()
        'Event ID'  = $Event.Id
        'Desc'      = ($Event.Message -split "`n")[0]
        Username    = $EventXml.Event.UserData.EventXML.User
        'Source IP' = $EventXml.Event.UserData.EventXML.Address
        'Details'   = $Event.Message
    }

    $Results += (New-Object PSObject -Property $ResultHash)
}

$Results | Export-Csv 'Remote Desktop Users.csv'
Related Topic