Is there a way to to retrieve an audit trail / history of remote/rdp logons for a particular user on a Windows 2008 R2 machine?
We have a server here in our intranet which has a domain-wide user as local admin and when I logged in with its credentials yesterday, I saw .. well.. something rather "unpleasant" going on in the already existing session and I'd like to find out who was the one connecting and using that account/session before me.. who being any sort of information that might help tracking down who he actually was – e.g. machine name the login/session was initiated from etc. Is there any way to retrieve any helpful information?
I am not an admin and the IT department takes a while to respond, but we want to stop that user/behaviour asap without 'just' changing the pw etc.
Best Answer
You should be able to find the IP address of the connecting machine in the Security log. Open the event viewer program on the server, then check the security log (under the Windows Logs folder).
On the right hand side, select filter and filter for event ID 4624. You'll have to look through the events until you find ones that have 'Logon type: 10'. Those will show the IP address of the connecting machine as 'Source Network Address'.
You can check the machine name by opening a command prompt and typing nslookup IPAddress (example: nslookup 192.168.1.1). Note that depending on your network configuration, the IP address you find in the log may have been reassigned to a new machine, so this may not be accurate after the event occurred.
The IP (or machine name) may also show up in the Operations log in the event veiwer under the folder path "Application and Services Logs\Microsoft\Windows\TerminalServices-RemoteConnectionManager". Look for EventID 1149.