Re: Event Logging for Remote Desktop

From: Sooner Al (SoonerAl_at_somewhere.net.invalid)
Date: 04/26/04 

Date: Mon, 26 Apr 2004 07:28:39 -0500

You can setup an Audit Policy using the Group Policy editor to log logon success and failures. Go
to "Start -> Run" and type 'gpedit.msc' (without the quotes). Navigate to "Local Computer Policy ->
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit
Policies -> Audit logon events". Highlight and right-click and select properties. Configure as
desired.

Note, some folks have XP boxes setup to login without a password. Logging in without a password
counts as a "failure". This results in the security log filling up very fast if you log failures and
have a user without a password. I fell into that trap while testing a new XP Pro box a while back.
The result is you can not login normally. Also note, not having a password is a potential and
probable security risk.

The event log can be viewed by going to "Start -> Control Panel -> Performance and Maintenance ->
Administrative Tools" and click on "Event Viewer".

You can look for the "Logon type 10" in the Event Properties which indicates "A user logged on to
this computer remotely using Terminal Services or a Remote Desktop connection". 

-- 
    Al Jarvi (MS-MVP Windows Networking)
Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...
"SL" <anonymous@discussions.microsoft.com> wrote in message 
news:43fd01c42b88$332759a0$a001280a@phx.gbl...
> Hi,
>
> Is there any way to make Event log start logging attempt
> (success and failure) to Remote Desktop. I want to make
> sure if I know if there is anyone tried to logon to my
> machine with Remote Desktop.
>
> thanks
>
> SL

Relevant Pages

  • Re: Account Logon Time Restriction
    ... The logon failures decreased signigicantly but are still there. ... workstation from which the login originates. ... account's likely logged-into workstation, check if ...
    (microsoft.public.win2000.security)
  • Re: Remote Desktop Connection logs
    ... The resulting windows lists the various logon types. ... > Al Jarvi (MS-MVP Windows Networking) ... >> client keeps any logs of attempted connection whether succesful or failures. ... >>> You can setup an Audit Policy using the Group Policy editor to log logon success and failures. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Event Logging for Remote Desktop
    ... >You can setup an Audit Policy using the Group Policy ... editor to log logon success and failures. ... Navigate to "Local Computer Policy -> ... >> to Remote Desktop. ...
    (microsoft.public.windowsxp.work_remotely)
  • Event ID 680 - 529 in Server Security Log
    ... Server 2003 and Windows XP SP2. ... Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ... There are groups of 48 Event failures recorded during the same second. ... there are 48 failures from this username in my server security log. ...
    (microsoft.public.windows.server.general)
  • Security Event failures 680 and 529 - Server 2k3 and XP
    ... Server 2003 and Windows XP SP2. ... Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ... There are groups of 48 Event failures recorded during the same second. ... install using a completely unique username, add the PC to the domain, ...
    (microsoft.public.windows.server.general)