Q: We believe someone at our company is using another employee’s account to access a workstation remotely through Remote Desktop Connection. We know the authorized employee couldn’t have accessed the workstation because at that time he was on a 12-hour flight with no Internet access. Can we get a list of all the Remote Desktop logons to our workstations from Small Business Server’s (SBS’s) Security log?
A: The short answer is no. Your question illustrates why it’s so important to enable auditing not only on your domain controllers (DCs), but also on your workstations and member servers.
Assuming the SBS system is your only server, it’s also your DC. And if the SBS system's audit policy is configured with default settings, the Security log will have a record of all the successful authentications of domain accounts—including Remote Desktop logons to workstations. (Default audit policy enables only successful account logon events—not failures.) In your DC’s Security log, look for event ID 672 (authentication ticket granted) in which the service name is the computer name of the workstation that was accessed. Also look for event ID 680 (account used for logon by) where the workstation name matches that of the accessed workstation. In both events, the description’s User Name line will identify the user who was authenticated to the workstation.
However, you must understand that DCs log authentication events—not logon events (there’s a difference). Authentication is the same to a DC no matter what type of logon occurs at the workstation. From the DC’s Security log you can't determine whether the authentication event was caused by a Remote Desktop Connection logon, a local console logon, or a logon to a shared folder on the workstation.
The only way to find out what caused the authentication event is to enable the workstation’s logon/logoff auditing. Most Windows workstations don’t enable auditing by default, so unless you’ve already enabled logon auditing for the workstation, no such record exists. Also note that DC Security logs show only authentication events involving domain accounts. Any attempt to log on to a workstation using a local account in the workstation’s SAM will show up only in that workstation's Security log, not in the DC's Security log.