Timeline for How to get a list of users who has logged on to a remote computer?
Current License: CC BY-SA 3.0
9 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 22, 2015 at 12:53 | vote | accept | KhaledMaged | ||
| Oct 21, 2015 at 20:15 | comment | added | DrZoo |
@KhaledMaged Another thing you could try is again going to Event Viewer and look under Application and Services logs. Then look under the RemoteApp and Desktop Connections folder and try the TerminalServices-LocalConnectionManager, TerminalServices-RemoteConnectionManager folders. Hopefully one of those have valuable information that you could use.
|
|
| Oct 21, 2015 at 16:24 | comment | added | KhaledMaged | @DrZoo But this field gives me the name of the remote computer in all cases. Even in the cases where I logged. Only the name of the remote computer itself. I know this may be weird, but that's what I have in front of me. | |
| Oct 21, 2015 at 16:12 | history | edited | DrZoo | CC BY-SA 3.0 |
updated the image
|
| Oct 21, 2015 at 16:12 | comment | added | DrZoo |
@KhaledMaged as long as you guys all have a different computer, you can tell which computer it is by checking the computer name in the log. The computer name is the field that says Computer. I updated the image and circled the computer name field in blue.
|
|
| Oct 21, 2015 at 16:07 | comment | added | KhaledMaged | Thanks for the reply, but can I tell from which IP address he has logged? Because actually me and my team members all have the administrator account. So when I look at "Account Name", it just gives me "Administrator" which doesn't help. | |
| Oct 21, 2015 at 16:01 | comment | added | DrZoo |
As a side note to my answer, when filtering by event ID the times are no longer in chronological order by time. You could either choose to Filter Current Log... and specify what you want, or you could organize it by Date and Time then look for the correct ID. Assuming you have a general time frame of when this happened, sorting by Date and Time may be the best option.
|
|
| Oct 21, 2015 at 15:57 | comment | added | Frank Thomas | I find filtering on eventID 4624 to be the best way to extract this information from the Security log. | |
| Oct 21, 2015 at 15:51 | history | answered | DrZoo | CC BY-SA 3.0 |