locked
RDP cliend username and IP address RRS feed

  • Question

  • How can I create user startup script to get RDP client logon time, IP address, username and to write results to winevent

    Nikola Batinica System Administrator at BANINI AD www.banini.co.rs

    Wednesday, November 21, 2012 12:21 PM

Answers

  • Enable "Audit logon events" - http://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx  (eventid 528 / 4624)

    Example(time logon - when event created):

    An account was successfully logged on.
     
    Subject:
        Security ID:  SYSTEM
        Account Name:  WIN-R9H529RIO4Y$
        Account Domain:  WORKGROUP
        Logon ID:  0x3e7
     Logon Type:10
     New Logon:
           Security ID:  WIN-R9H529RIO4Y\Administrator
        Account Name:  Administrator
        Account Domain:  WIN-R9H529RIO4Y
        Logon ID:  0x19f4c
        Logon GUID:  {00000000-0000-0000-0000-000000000000}
     Process Information:
        Process ID:  0x4c0
        Process Name:  C:\Windows\System32\winlogon.exe
     Network Information:
          Workstation Name: WIN-R9H529RIO4Y
        Source Network Address: 10.42.42.211
        Source Port:  1181
     Detailed Authentication Information:
          Logon Process:  User32 
        Authentication Package: Negotiate
        Transited Services: -
        Package Name (NTLM only): -
        Key Length:  0
     
    
    

    Parse with PowerShell:

    $evt = Get-WinEvent -FilterXpath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)] and EventData[Data[@Name='LogonType']='10']]" 
    $groups = $evt | group {$_.properties[5].value}
    
    $groups | Foreach {$_.group[0]} | select @{n="UserName";e={$_.properties[5].value}},@{n="LogOn";e={$_.TimeCreated}}

    • Marked as answer by Nikola Batinica Wednesday, November 21, 2012 12:45 PM
    Wednesday, November 21, 2012 12:37 PM