I'm using qwinsta and rwinsta to manage disconnected sessions at the moment. I usually get something like this:
SESSIONNAME USERNAME ID STATE TYPE DEVICE
console 0 Conn wdcon
rdp-tcp 65536 Listen rdpwd
Administrator 1 Disc rdpwd
The problem is when people log on as local Administrator or more general domain accounts.
It may not be possible, but is there a command I can use to get the IPAddress (and then machine name) where the Administrator logon occurred from? I've tried quite a lot of searching around and trying all the tools I could find (sysinternal psloggedon, nbstat etc), but none could get me this information.
Can I find out who keeps leaving sessions open!
Best Answer
You could try GETTSCIP from http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm
It's a freeware application, but I don't know if it will work for disconnected sessions. I doubt if it will, though.