Remote Desktop auditing may not be working (no logs in event viewer?)


  1. Posts : 6
    Windows 10
       #1

    Remote Desktop auditing may not be working (no logs in event viewer?)


    I have a Windows 10 Pro workstation that is connected to a domain that I'm trying to monitor remote desktop usage on. A user will work from home from time to time by connecting directly to that workstation with Remote Desktop.

    Because I have enabled Remote Desktop on that workstation, I would like to monitor all Remote Desktop activity on it - all successful and unsuccessful login attempts.

    Currently all I'm getting it seems is successful logins when I look in:
    Event Viewer --> Application and Services Logs --> Microsoft --> Windows --> TerminalServices-RemoteConnectionManager --> Operational.
    The only events I have in there are #1149 which are the successful login attempts (great - that's half of what I need), and #261 which are TCP received a connection (don't care). I tried logging in with a fake user name and password several times before checking the event log of course to see if it would show up in the log, but alas, none appeared.

    I have found several articles on the web that say to make a change in the policy. So first I went to the computer's Local Group Policy Editor, and made the following change:
    Local Computer Policy --> Computer Configuration --> Windows Settings --> Security Settings --> Advanced Audit Policy Configuration --> System Audit Policies - Local Group Policy Object --> Logon/Logoff --> Audit Logon.
    I checked all 3 boxes:
    1. Configure the following audit events
    2. Success
    3. Failure
    Clicked OK

    Then I tried logging into that workstation via Remote Desktop using a fake account/password again a couple times, then checked the TerminalServices-RemoteConnectionManager event log, and still no records of my unsuccessful attempts.

    I thought maybe I need to make the same change on the domain controller group policy, so on the domain controller I made the following change in:
    Default Domain Policy [myservername.mydomainname] Policy --> Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Advanced Audit Policy Configuration --> Audit Policies --> Logon/Logoff --> Audit Logon
    I checked all 3 boxes:
    1. Configure the following audit events
    2. Success
    3. Failure
    Clicked OK


    Then in the computer's Local Security Policy, I made the following change:
    Security Settings --> Local Policies --> Security Options --> Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    Changed to 'Enabled'.
    (I don't remember why I did this - I swore I saw somewhere that you had to to do this too).


    So even after all of that, I tried using a fake account/password to log in to that workstation via Remote Desktop, but still no events about any unsuccessful logon attempts.

    Am I missing something else here?
      My Computer


  2. Posts : 37
    Windows
       #2

    Do you get logs of unsuccessful login when you attempt it locally?
      My Computer


  3. Posts : 6
    Windows 10
    Thread Starter
       #3

    No, at least not in: Event Viewer --> Application and Services Logs --> Microsoft --> Windows --> TerminalServices-RemoteConnectionManager --> Operational.

    However, what I did discover is that I think I can use the 'Security' events log. When someone tries unsuccessfully to log in results in a #4625 Event, in the Security log. This seems to apply to local and Remote Desktop, but that's OK I guess. We're a small company so I can work out if they're physically here or not.

    Thank you @dpengel3 for getting me thinking further.

    Hopefully this helps someone out there looking to do the same thing.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 07:07.
Find Us




Windows 10 Forums