find user disconnection time in RDP session Windows server 2012
Solution 1
As far as I know this is not in the security logs. The correct place to look for is in Microsoft Event Viewer
under Applications and Services Logs => Microsoft => Windows => TerminalServices-LocalSessionManager => Operational
and then under the Operational logs.
The eventID to look for is ID24 (disconnected user session). EventID 25 is a reconnect.
Solution 2
You can use windows command query user UserName /server:ServerName or you can just enter query user /server:ServerName to find out all active or disconnected sessions.
Below is the sample output, I have blurred out my info for privacy:
I have also created a PowerShell script to do this task automatically, here is the link Powershell to find out disconnected RDP session and log off at the same time
Solution 3
You can start the Windows Event Viewer and check under Windows logs --> Security
. Filter by 'Task Category = Logoff'
.
You can export it to xml for easier reading.
Naigel
I've always had a passion for IT related stuffs. Suddenly I found myself as a computer engineering student, then I accidentally started my career as system engineer, then evolved into a data analyst and finally reached the status of computer scientist. What does this exactly mean? Well... not sure yet, I guess it's like being a software engineer who understand some theoretical computer science.
Updated on July 03, 2022Comments
-
Naigel almost 2 years
We have a pool of develop machines where developers log in through RDP and usually they doesn't log off but just disconnect. As local administrator I can force the log off but I would like to check when the user disconnected.
From task manager I can see only the user name and its status
Is there a way to discover when the user disconnected using task manager, powershell, cmd or whatever?
-
Patrick over 8 yearsWhy don't you edit your previous answer and include this, instead of posting two answers (which are the same)?
-
Naigel over 8 yearsok answer nearly correct, of course I can't find the logoff because he didn't logged off, but just disconnected. Anyway I can't find any details, my security logs history is just too short
-
bluuf over 8 yearsa Logoff is something completely different as a disconnect in RDP.
-
Naigel over 8 yearsperfect, thank you! I corrected the path, it was incomplete. In that view I can find only real user connection, exactly what I was looking for