none
Terminal Services logging RRS feed

  • Question

  • Windows 2008 R2 server has stopped logging in the event log on this server.  I have cleared the log, disable and re-enabled logging and it's still not logging.  It did work at one point because there were logs up until March 20186.

    Any help is appreciated!

    Friday, May 27, 2016 7:27 PM

All replies

  • Question - what logs are you referring to?  Terminal Server logons recorded in the Security log?  Or special Terminal Server channel event logs, like Microsoft/Windows/TerminalServices-LocalSessionManager?

    Once I have that information, I'll be in a better position to assist you.

    Saturday, May 28, 2016 7:35 PM
  • Event Viewer > Application and Service logs > Microsoft > Windows > TerminalServices - RemoteConnectionManager > Operational
    Tuesday, May 31, 2016 9:56 PM
  • Hi,

    Would you please tell us the remote desktop role installed on the server?

    I have tested that if only RD Web Access is the only role installed, remote desktop connections to the RDS farm wouldn’t generate events under RemoteConnectionManager > Operational.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 1, 2016 10:46 AM
    Moderator
  • RemoteApp Manager

    RD Session Host Configuration

    Remote Desktop Services Manager



    BT


    • Edited by Doobster1 Thursday, June 9, 2016 8:38 PM incorrect information
    Wednesday, June 8, 2016 2:58 PM
  • I think I know what's going on.

    I believe that in order for RemoteConnectionManager > Operational to log events, the Terminal Server must be running the Windows Feature AppServer(Terminal Services Application Server). In other words, it has to be running as a full session host, not just in Remote Administration mode (with a maximum of 2 admin connections).

    Did you recently remove this feature (which requires integration with a Licensing Server) and shift this Terminal Server back into Remote Administration mode only?  If so, that may explain why this log no longer contains events.  I ask because you mention that all of your users are local admins.

    Note that in all scenarios, you will always have connection/disconnection relevant events in the Microsoft/Windows/TerminalServices-LocalSessionManager log.

    Thursday, June 9, 2016 12:19 AM
  • Microsoft/Windows/TerminalServices-LocalSessionManager log is empty as well.  ALL TS logs are empty on this server.

    This server was not previously setup as a TS AppServer.

    I saw this article which mentions changing the settings in rsop.msc but when I try to open that plug-in I get an "out of memory" error.

    https://support.microsoft.com/en-us/kb/921468


    BT


    • Edited by Doobster1 Thursday, June 9, 2016 5:55 PM typo
    Thursday, June 9, 2016 5:53 PM
  • Doobster1,

    I managed to enable the RemoteConnectionManager (Operational) log on a 2008 r2 server running in Remote Admin RDS mode.  See screenshot below.  Once I did that, it started recording events.  Can you double-check to see if the "Enable Log" menu option is showing on either RemoteConectionManager (Operational) or LocalSessionManager (Operational)?  If so, that means that some process (or admin) disabled that log again after you re-enabled it.  If you see "Disable Log," that means that the log should be receiving events.

    Thursday, June 9, 2016 7:16 PM
  • Mine looks the same. I have tried disabling and re-enabling as well.

    


    BT

    Thursday, June 9, 2016 7:21 PM
  • I just reread where you said that some admins could read the log and other cannot.  This would suggest custom access rights being defined for the log.  Please open up regedit and check the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

    On my system, there is a value under this key called ChannelAccess.  It is set to the default SDDL string of:

    O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

    What is your ChannelAccess SDDL string set to?  If you change it back to the default (like mine), can you see the entries again after logging out/logging on?

    Thursday, June 9, 2016 7:58 PM
  • Yes please disregard that statement it turned out to be incorrect. A coworker was on the 02 server not the 01 server.

    The 2 registry entries are the same.


    BT

    Thursday, June 9, 2016 8:37 PM
  • Wow ... OK, I'm just about stumped. :)  Have you tried rebooting the box yet, given that you also received an out of memory error when you ran the rsop snap in?
    Thursday, June 9, 2016 8:52 PM
  • I'm stumped too! been doing this @15 years and haven't seen one act like this. Waiting on business approval for reboot time. Of course it's a 24/7 server.

    BT

    Friday, June 10, 2016 5:21 PM