{"id":201,"date":"2014-07-22T13:10:42","date_gmt":"2014-07-22T18:10:42","guid":{"rendered":"https:\/\/sysadminnightmare.com\/?p=201"},"modified":"2014-07-22T13:10:42","modified_gmt":"2014-07-22T18:10:42","slug":"server-logins","status":"publish","type":"post","link":"https:\/\/sysadminnightmare.com\/index.php\/2014\/07\/22\/server-logins\/","title":{"rendered":"Server Logins"},"content":{"rendered":"

Real quick post on a tech tip type of incident I ran into today.<\/p>\n

On a server I needed to simply see who has logged into it. I am sure there are several hundred of ways to complete this, but my technique was to check out the security event log. <\/p>\n

While looking at the event log I did find the Event ID 4624 which shows logon events. Great .. I will just filter these and see who was been on it. <\/p>\n

The problem I found is that this also shows all the agents or other events where accounts “logon” to the system. So it wasn’t a small list, nor just what I wanted. So turning to a Custom View I filtered with the following XML which showed me those Events, but also filtered by Logon Type to be 10, which is Remote Desktop Logins.<\/p>\n

Exactly what I needed. So here: <\/p>\n

[code language=”css”]
\n
\n
\n