Real quick post on a tech tip type of incident I ran into today.
On a server I needed to simply see who has logged into it. I am sure there are several hundred of ways to complete this, but my technique was to check out the security event log.
While looking at the event log I did find the Event ID 4624 which shows logon events. Great .. I will just filter these and see who was been on it.
The problem I found is that this also shows all the agents or other events where accounts “logon” to the system. So it wasn’t a small list, nor just what I wanted. So turning to a Custom View I filtered with the following XML which showed me those Events, but also filtered by Logon Type to be 10, which is Remote Desktop Logins.
Exactly what I needed. So here:
[code language=”css”]
[/code]