Now when someone logs in via RDP, their hostname is logged in c:\temp\rdp.log In Program type cscript.exe and in Add argument type c:\temp\log.vbs.In the Action-tab choose New and choose "Start a program".In "Log" choose Security and in "Event ID" type 4624.In the Trigger-tab choose New and choose "Begin the task" On an event.Click Start and type taskschd.msc then hit enter.Now for the last part create a scheduled task for starting this script. ObjFile.Write now() & " " & clientName & vbCrLf Set objFile=objFSO.OpenTextFile(outFile,ForAppending,True) Set objFSO=CreateObject("Scripting.FileSystemObject") SessionNumber = CInt(Trim(Mid(sOutput,iUserPos+iUserLen,iStatePos-iUserPos-iUserLen)))ĬlientName = LCase(oShell.RegRead("HKCU\Volatile Environment\"&sessionNumber&"\CLIENTNAME")) IUserLen = Len(oShell.ExpandEnvironmentStrings("%username%")) IUserPos = InStr(sOutput,LCase(oShell.ExpandEnvironmentStrings("%username%"))) Set oExec = oShell.Exec("query session %username%") Set oShell = CreateObject("WScript.Shell") (also edit the location of the desired logfile, here c:\temp\rdp.log) Function sessionNumberĭim oShell, oExec, sOutput, iUserPos, iUserLen, iStatePos Now create a VBScript-file (for example called c:\temp\log.vbs): Now check the Success box (failed attempts will not be logged this way).now navigate to Local Policy > Audit PolicyĪnd right click the Audit account logon events policy option and choose Properties.The Local Security Policy window will be displayed
Click Start and type secpol.msc then hit enter.I found this is needed because the other events triggered too early to get the hostname.
0 kommentar(er)
