Administrators and privileged users often use RDP client software such as Remote Desktop to access a server to perform tasks and troubleshoot problems. When doing so, it's difficult to pinpoint the last actions that were applied to the server. However, if you know which administrators and privileged users recently logged on to that server, you can contact them to find out this information. I've come up with a batch file—RDPLogon.bat—that lets you quickly identify those people.
Here's what you need to do:
- On your server, create a folder named RDP on the C drive (C:\RDP). For the batch file to work, the Remote Desktop Users group must have permission to write to this location. (It's assumed that the people who use RDP to access servers from remote machines are either administrators—who by default have RDP permission—or members of the Remote Desktop Users group.)
- Create a batch file that contains the code shown in Listing 1. Alternatively, you can download RDPLogon.bat by clicking the Download the Code Here button. Note that your server needs to be using the default RDP port (port 3389) for RDPLogon.bat to work.
- Place the batch file in the C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder on the server.
Listing 1: RDPLogon.bat
Echo %date% %time% %username% >> c:\RDP\RDPlog.txt
Netstat -n -p tcp | Find ":3389" >> c:\RDP\RDPlog.txt
Echo================================================================== >> c:\RDP\RDPlog.txt
RDPLogon.bat captures information about each person who logs on to the server and appends that information to an output file named RDPlog.txt, which resides in C:\RDP. By looking at the RDPlog.txt file, you can identify the administrators and privileged users who logged on recently and which machines they used for that logon.
Figure 1 shows sample output from RDPLogon.bat.
This output contains information about three logons. (For easier reading, the batch file puts a dashed line after each logon entry.) The first line in each entry shows when the logon occurred (date and time) and by whom (user's domain ID).
You can find out where each logon occurred by looking at the second line in each entry. The information in this line is obtained using the Netstat command. The second string of numbers, which I highlighted in yellow in Figure 1, shows the IP address and RDP port number of the remote machine used for the logon. (The first string of numbers is the server's IP address and RDP port number.) If an entry is missing the Netstat results, like the last entry in Figure 1, it means that the logon was done from the physical server console.
RDPLogon.bat is a simple tool that you can use to quickly identify the administrators and privileged users who recently logged on to a server. Armed with this knowledge, you can contact them to find out the last actions they performed on the server. This is much faster than looking through and trying to decipher huge event logs to find the last actions. Note that this tool is meant for environments in which administrators and privileged users are cooperative, since they could conceivably delete their logon entries if they know the RDPlog.txt file exists and want to hide their actions.