Using OpsMgr to see which servers have not been logged on to via RDP

<!--[if lt IE 9]>


Comments (7)
  1. Anonymous says:

    Hi Kevin,

    I followed the step by step option you have provided here but I am getting all servers with agents on my result.

    Am I missing something? Looks like it is not filtering the option. Thanks.

  2. Anonymous says:

    Hi Kevin,

    Thank you for this great post. I am going to test this on our environment today.


  3. Anonymous says:

    Hi Kevin,

    1. Audit policy is configured right. I can see the event on the security log.

    2. I have a schedule report to run every with this collection rule for information about RDP session to server and I can see different users logging into different servers so I think the collection rule is configured correctly.

    3. It’s been about a month since I configured this.

    4. I even created a view under my workspace using this collection rule and I can see 528 with logon type 10 on that view.

    Any help would be appreciated. Thank you.

  4. Kevin Holman says:

    You’d need to run the SQL query manually – if it returns all servers, then all servers have NOT collected that event.


    1.  Either your audit policy isnt configured (see if you actually create an event 528 on RDP login into a security log)

    2.  Your event collection rule is misconfigured

    3.  You havent waited long enough.

    Simply run a SQL query against the event table… look look FOR the 528 event… or create a view in My Workspace to show these events.  If you dont have any – there is the first part of your answer.

  5. Anonymous says:

    So…. with the introduction of Server 2008 into OpsMgr… as a monitored agent, you might need to re-evaluate

  6. Hi Kevin, wouldn’t it be better to use the ACS feature for collcting security logs?

    If you have ACS installed you are effectively already collecting those events in a database that has a better schema for them… no need to collect them in the operations DB like you would have done in MOM2000/2005…

  7. Robb Dilallo says:

    Kevin, great post!  I’m looking forward to creating this report tomorrow.  Something else that’d be useful is a report on which servers have users still logged on via RDP.  Sys Admins (including myself) have the tendency of taking up RDP connections on servers, inadvertently preventing others from logging on via RDP.  🙂

Comments are closed.

Skip to main content