none
regular users with session initiated on a domain controller (RDP) RRS feed

  • Question


  • i´m investigating a weird issue: someone send me a screen capture of an AD DC showing two regular users with "session initiated" status in the welcome screen of a AD DC.

    The screen captures shows a "square" simbol, in the upper line the DOMAIN\LOGIN_NAME and  below the "Session Initiated" message.

    Makes no sense, because i´ve checked and double-checked, this regular users does not have rights or privileges to logon (nor locally nor RDP) in AD DCs. The AD DC is a VM, no local logon could occur without access to the Hyper-V (Workgroup machine), so maybe it could be a RDP remote logon. There are events 4624 with logon type = 3 (network login) and as far as i know, the RDP logon it will shown a logon type = 10

    I know this screen, look exactly like someone doing a RDP local or remote login via RDP, disconnect the session and the session looks like initiaed by someone else. The person who gave me this screen capture couldn´t login and see the users tab on task manager to make sure that there was a disconnected session

    what chain of events could cause a user to appear to be logged on a DC, generating a "session initiaed" message on welcome screen? As far as i know, event sessions to mapped drive letters, printing and other network activities couldn´t cause the "session initiated" to appear in welcome screen of the AD DC



    • Edited by KayZerSoze Friday, September 9, 2016 12:38 PM typo
    Friday, September 9, 2016 12:15 PM

Answers

  • Hi,

    Logon Type 3 can be logged with activities such as accessing a file share, so we need to find more clues to analyze this behavior.

    I suggest you check the mentioned user’s group membership firstly, then run GPresult.exe on the Domain Controller to find out which groups/accounts having permissions to log onto it if default group policy settings were modified.

    More specifically, you may use /h switch to get an .html view.

    For example:

    GPresult /h C:GPresult1.html

    In addition, here is a related article below for you:

    “Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group

    https://blogs.technet.microsoft.com/askperf/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group/

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 12, 2016 6:55 AM
    Moderator

All replies

  • Hi,

    Logon Type 3 can be logged with activities such as accessing a file share, so we need to find more clues to analyze this behavior.

    I suggest you check the mentioned user’s group membership firstly, then run GPresult.exe on the Domain Controller to find out which groups/accounts having permissions to log onto it if default group policy settings were modified.

    More specifically, you may use /h switch to get an .html view.

    For example:

    GPresult /h C:GPresult1.html

    In addition, here is a related article below for you:

    “Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group

    https://blogs.technet.microsoft.com/askperf/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group/

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 12, 2016 6:55 AM
    Moderator
  • Hi,

    Would you please provide us with an update on the status of your issue?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 16, 2016 9:29 AM
    Moderator