locked
event log for failed Remote Desktop connections RRS feed

  • Question

  • Two domain controllers
    14 "rdp" servers
    60 clients connecting to the servers.

    It has been requested that we are able to audit all failed login attempts.

    If I attempt to login to a "rdp server" with domain\FakeName (where FakeName does NOT exist on the AD), I get a proper event in the RDP servers event log detailing "fakename" and source of the RDP (IP of one of the clients).

    If I login using a genuine AD username but incorrect password, no event is generated in the "rdp servers" log. The Domain controllers do show a "audit failure" but only give the username, it does not say which client made the attempt.

    I need to know where all the attempted logons were coming from.

     

    Wednesday, May 13, 2015 9:52 AM

Answers

All replies

  • It should be logged on one of the DCs

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Wednesday, May 13, 2015 9:57 AM
  • Hello,

    have you configured the settings with advanced security auditing?

    https://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    • Proposed as answer by AnnaWY Wednesday, May 27, 2015 6:41 AM
    • Marked as answer by AnnaWY Sunday, May 31, 2015 9:24 AM
    Wednesday, May 13, 2015 10:35 AM
  • Hi Joe,

    For failed RDP connections you should enable this policy: Computer Configuration/Policies/WindowsSettings/Security Settings/Advanced Audit Policy Configuration/AuditPolicies/Audit Credential Validation set to Failures. And monitor Event ID 4776:

    Audit Credential Validation

    If there is anything else regarding this issue, please feel free to post back.

    Best Regards,

    Anna Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Proposed as answer by AnnaWY Wednesday, May 27, 2015 6:40 AM
    • Marked as answer by AnnaWY Sunday, May 31, 2015 9:24 AM
    Thursday, May 14, 2015 10:07 AM