Terminal server log

[Guest RedFoxy]

Hi all!

I need to know if a windows 2003 SBS (the full version with SQL not the

standard version) logs Terminal server connections and where are the

logs, i need to know the ip address of a connection by terminal server

and if is possible, what they do like data transfer and similar, I'm

reading the event log of windows, but i don't foun anything of strange,

i found only some try of a terminal server connection that try to

connect some printers that server don't know and it haven't the right

drivers...

The windows 2003 server SBS is just installed, i haven't changed any

policy about log on and terminal server and windows have all windows

updated.

 

Thank's for all!

[Guest Vera Noest [MVP]]

Re: Terminal server log

 

The only place where you can see this is in the Security EventLog, if

you have enabled auditing of logon and logoff events.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in

microsoft.public.windows.terminal_services:

> Hi all!

> I need to know if a windows 2003 SBS (the full version with SQL

> not the standard version) logs Terminal server connections and

> where are the logs, i need to know the ip address of a

> connection by terminal server and if is possible, what they do

> like data transfer and similar, I'm reading the event log of

> windows, but i don't foun anything of strange, i found only some

> try of a terminal server connection that try to connect some

> printers that server don't know and it haven't the right

> drivers... The windows 2003 server SBS is just installed, i

> haven't changed any policy about log on and terminal server and

> windows have all windows updated.

>

> Thank's for all!

[Guest RedFoxy]

Re: Terminal server log

 

Vera Noest [MVP] ha scritto:

> The only place where you can see this is in the Security EventLog, if

> you have enabled auditing of logon and logoff events.

>

 

I don't changed the policy, the server is just installed and i don't

think that audit is enabled...

 

there isn't anotehr way to know the ip address?

[Guest Piet van Dongen]

Re: Terminal server log

 

 

Hi,

 

You can then filter the logon events in the security eventlog logon type 10

RemoteInteractive

A user logged on to this computer remotely using Terminal Services or Remote Desktop.

 

 

 

Below here the complete list of logon types...

 

Logon type

Logon title

Description

 

2

Interactive

A user logged on to this computer.

 

3

Network

A user or computer logged on to this computer from the network.

 

4

Batch

The batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

 

5

Service

A service was started by the Service Control Manager.

 

7

Unlock

This workstation was unlocked.

 

8

NetworkCleartext

A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

 

9

NewCredentials

A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

 

10

RemoteInteractive

A user logged on to this computer remotely using Terminal Services or Remote Desktop.

 

11

CachedInteractive

A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

 

 

 

 

 

 

Regards,

 

_____________________________

Piet van Dongen

 

MCSA, MCSE, MCTS, MCDBA, MCP

CCA, CCEA, CCSP

RPFCP, RWCP, RCP

_____________________________

 

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> schreef in bericht news:Xns9A6BA30087315veranoesthemutforsse@207.46.248.16...

> The only place where you can see this is in the Security EventLog, if

> you have enabled auditing of logon and logoff events.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in

> microsoft.public.windows.terminal_services:

>

>> Hi all!

>> I need to know if a windows 2003 SBS (the full version with SQL

>> not the standard version) logs Terminal server connections and

>> where are the logs, i need to know the ip address of a

>> connection by terminal server and if is possible, what they do

>> like data transfer and similar, I'm reading the event log of

>> windows, but i don't foun anything of strange, i found only some

>> try of a terminal server connection that try to connect some

>> printers that server don't know and it haven't the right

>> drivers... The windows 2003 server SBS is just installed, i

>> haven't changed any policy about log on and terminal server and

>> windows have all windows updated.

>>

>> Thank's for all!

[Guest Piet van Dongen]

Re: Terminal server log

 

"Piet van Dongen" <piet_van_dongen@hotmail.com> schreef in bericht news:7F377F22-6008-43AD-A6A9-5BA5D7DFE1C6@microsoft.com...

 

Hi,

 

You can then filter the logon events in the security eventlog "logon type 10 RemoteInteractive" => A user logged on to this computer remotely using Terminal Services or Remote Desktop.

 

Below here the complete list of the different logon types...

 

Logon typeLogon titleDescription

2InteractiveA user logged on to this computer.

3NetworkA user or computer logged on to this computer from the network.

4BatchThe batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

5ServiceA service was started by the Service Control Manager.

7UnlockThis workstation was unlocked.

8NetworkCleartextA user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

9NewCredentialsA caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

10RemoteInteractiveA user logged on to this computer remotely using Terminal Services or Remote Desktop.

11CachedInteractiveA user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

 

 

 

 

 

Regards,

 

_____________________________

Piet van Dongen

 

MCSA, MCSE, MCTS, MCDBA, MCP

CCA, CCEA, CCSP

RPFCP, RWCP, RCP

_____________________________

 

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> schreef in bericht news:Xns9A6BA30087315veranoesthemutforsse@207.46.248.16...

> The only place where you can see this is in the Security EventLog, if

> you have enabled auditing of logon and logoff events.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in

> microsoft.public.windows.terminal_services:

>

>> Hi all!

>> I need to know if a windows 2003 SBS (the full version with SQL

>> not the standard version) logs Terminal server connections and

>> where are the logs, i need to know the ip address of a

>> connection by terminal server and if is possible, what they do

>> like data transfer and similar, I'm reading the event log of

>> windows, but i don't foun anything of strange, i found only some

>> try of a terminal server connection that try to connect some

>> printers that server don't know and it haven't the right

>> drivers... The windows 2003 server SBS is just installed, i

>> haven't changed any policy about log on and terminal server and

>> windows have all windows updated.

>>

>> Thank's for all!

[Guest Vera Noest [MVP]]

Re: Terminal server log

 

RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in

microsoft.public.windows.terminal_services:

> Vera Noest [MVP] ha scritto:

>> The only place where you can see this is in the Security

>> EventLog, if you have enabled auditing of logon and logoff

>> events.

>>

>

> I don't changed the policy, the server is just installed and i

> don't think that audit is enabled...

>

> there isn't anotehr way to know the ip address?

 

No, if you haven't enabled auditing of security events, there's no

other place on the TS where you can find this information.

 

If you are trying to investigate an unauthorized connection from

outside your LAN, you should check the logs in your firewall.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

[Guest RedFoxy]

Re: Terminal server log

 

Piet van Dongen ha scritto:

> "Piet van Dongen" <piet_van_dongen@hotmail.com> schreef in bericht

> news:7F377F22-6008-43AD-A6A9-5BA5D7DFE1C6@microsoft.com...

>

> Hi,

>

> You can then filter the logon events in the security eventlog "logon

> type 10 RemoteInteractive" => A user logged on to this computer remotely

> using Terminal Services or Remote Desktop.

 

i haven't "logon type", i've type, date, hour, origin, category, event,

username, computer.

 

How can I active the auditing?

[Guest RedFoxy]

Re: Terminal server log

 

Vera Noest [MVP] ha scritto:

> RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in

> microsoft.public.windows.terminal_services:

>

>> Vera Noest [MVP] ha scritto:

>>> The only place where you can see this is in the Security

>>> EventLog, if you have enabled auditing of logon and logoff

>>> events.

>>>

>> I don't changed the policy, the server is just installed and i

>> don't think that audit is enabled...

>>

>> there isn't anotehr way to know the ip address?

>

> No, if you haven't enabled auditing of security events, there's no

> other place on the TS where you can find this information.

>

> If you are trying to investigate an unauthorized connection from

> outside your LAN, you should check the logs in your firewall.

 

 

How can I active the auditing?

[Guest RedFoxy]

Re: Terminal server log

 

Vera Noest [MVP] ha scritto:

> RedFoxy <redfoxy.nospam@redfoxy.it> wrote on 24 mar 2008 in

> microsoft.public.windows.terminal_services:

>

>> Vera Noest [MVP] ha scritto:

>>> The only place where you can see this is in the Security

>>> EventLog, if you have enabled auditing of logon and logoff

>>> events.

>>>

>> I don't changed the policy, the server is just installed and i

>> don't think that audit is enabled...

>>

>> there isn't anotehr way to know the ip address?

>

> No, if you haven't enabled auditing of security events, there's no

> other place on the TS where you can find this information.

>

> If you are trying to investigate an unauthorized connection from

> outside your LAN, you should check the logs in your firewall.

 

 

Thank you to all, i solve my troubles enabling the audit and windows

show me old ip address