Differences

This shows you the differences between two versions of the page.

--- microsoft_windows:terminalserver:logs [2020/03/09 16:16] – rodolico
+++ microsoft_windows:terminalserver:logs [2020/03/09 16:26] – rodolico
@@ Line 3: / Line 3: @@
 Microsoft hides the Remote Desktop logins pretty deep in their logging structure and there is not much information on how to programmatically get to it. I have a client who needed to get to this, so I figured I'd record what I came up with and some links.
-There is a lot of documentation on how to do this if you are running a Windows Domain, but in the main case here, that is not the case.
+There is a lot of documentation on how to do this if you are running a Windows Domain, but in the main case here, that is not the case. This procedure works on machines which are not on a domain, looking a the local server and parsing the local log files.
 This has been tested on Windows 7, Server 2008r2 and Server 2019, the latter two running as Terminal Services servers.
@@ Line 45: / Line 45: @@
 $Results | Export-Csv -Path $currentDir;
 </code>
+The above script first asks for a start and end date for parsing, then opens //Microsoft-Windows-TerminalServices-LocalSessionManager/Operational// to get the logs. It then goes through each entry, looking for event type 25 (user logins) which fall in the date range. Once it has found all of them, it dumps the retrieved output to the same directory the script was run from as RemoteDesktopUsers_startdate_enddate.csv, a comma separated file which can be read by Excel or LibreOffice Calc.
 ===== Running the script =====