Saturday, 26 November 2011

RDP logs

You can set the audit policy as follows.

=====
1. "Start -> Run".
2. Type 'gpedit.msc' (without the quotes).
3. Navigate to "Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies -> Audit logon events".
4. Highlight and right-click and select properties.
5. Configure as desired.
=====

Note: Logging in without a password counts as a "failure". This results in the security log filling up very fast if you log failures and have a user without a password. The result is you cannot login normally. Also note, not having a password is a potential and probable security risk.


The event log can be viewed by going to
-----
1. "Start -> Control Panel ->  Performance and Maintenance -> Administrative Tools".
2. Click on "Event Viewer".
3. Look in the Event Log (Security) for a Logon/Logoff Event 528. It should have a Logon Type 10.
-----

No comments: