Remote Desktop Services login history

Solution 1:

You can use a script to collect this information. Not as ideal/simple, but it will get the job done. Here is a Powershell script that should work on Windows 7/Server 2008r2 or higher (this code can be further cleaned up on newer Powershell versions, but I have kept it as-is for backwards compatibility):

$LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
$Results = @()
$Events = Get-WinEvent -LogName $LogName
foreach ($Event in $Events) {
    $EventXml = [xml]$Event.ToXML()

    $ResultHash = @{
        Time        = $Event.TimeCreated.ToString()
        'Event ID'  = $Event.Id
        'Desc'      = ($Event.Message -split "`n")[0]
        Username    = $EventXml.Event.UserData.EventXML.User
        'Source IP' = $EventXml.Event.UserData.EventXML.Address
        'Details'   = $Event.Message
    }

    $Results += (New-Object PSObject -Property $ResultHash)
}

$Results | Export-Csv 'Remote Desktop Users.csv'

Solution 2:

First off, if you didn't log it at the time (or the log has since been overwritten), you're out of luck.

Secondly, you want to look in the Security Event Log, and look for Event ID 528 and 540. Logon type 10 indicates a remote interactive logon (RDP).

Solution 3:

Based on https://gallery.technet.microsoft.com/Log-Parser-to-Identify-8aac36bd

Get-Eventlog -LogName Security | where {$_.EventId -eq "4624"} | select-object @{Name="User"
;Expression={$_.ReplacementStrings[5]}} | sort-object User -unique

You can grab other info from ReplacementStrings. You can also specify a remote computer in the Get-Eventlog command.