0

As in the subject. I think it would be a good to know as much as possible things to check who or what removed my RDP session. For instance, we have a developer console server, where we do some development and many times we leave the sessions disconnected to continue the work the following day. Sometimes happens that the session is closed/removed by something or somebody.

I just would like to know the most possible list of to check to find the root cause on Windows Server 2003, 2008, 2012 editions. I gathered the following.

Check if:

  1. there was the reboot of a server (eg. by patching activities) – checking NT event log id: 1074
  2. the RDP service was stopped/restarted – any ideas?
  3. the session has been removed by human – is this activity logged in NT event log?

    Can you please answer the questions and may you have any other ideas and?
essential
  • 109
  • 4
  • did you try set some audits? – HEDMON Oct 18 '16 at 12:00
  • check this answer: http://serverfault.com/a/206090/233024 – HEDMON Oct 18 '16 at 12:01
  • Enable auditing is good idea. However in my organization we are not allowed to configure Windows servers (for this is responsible another team). So I can use "read-only" tools/system utilities to check this. – essential Nov 22 '16 at 16:23

0 Answers0