A New and an Updated PowerShell Script

NOTE: Updated November 2016 to include -ServersToQuery and -StartTime and parameters.

e.g.

.\RDPConnectionParser.ps1 -ServersToQuery Server1, Server2 -StartTime "November 1"

————————–

Hey everyone, yes I’m still alive!

Connection Report for Remote Desktop 

I wrote a script that connects to one or multiple servers and captures Remote Desktop logons, disconnects, reconnects and logoffs along with the connecting IP:

Download RDPConnectionParser.ps1 here

Recipient Address Report (Formally ProxyAddressCount)

I also updated the “Exchange Proxy Address (alias) Report” script.  It now includes a few environment metrics, as well as the regular CSV-style output:

Download the updated script here

14 thoughts on “A New and an Updated PowerShell Script

  1. A friend has enabled RDP to his home computers thru port forwarding on his router. I’d like him to see if rogue RDP logon attempts have failed on his Windows 7 & 8 home computers. Can your script be run on a Windows 7 or 8 host to make a quick report of failed RDP login attempts?

    • I think it should work on Win7, but I haven’t tested it. In that same log, look for event 1012. It will state “remote session from client name exceeded the maximum failed logon attempts” or something like that, but I don’t believe it records the IP if a session isn’t successful. I would suggest your friend configure RDP on an alternate port, as exposing 3389 to the internet is a big risk, especially since Win7 doesn’t lock out accounts by default.

  2. Mike,

    I want to monitor the sessions getting created on my RD Server. Want to see when my employees logged in and logged out. Will the script be able to capture the information? Could you please guide something?

    Regards,

    • The script does report the information you’re looking for, but it would need to schedule it to run regularly. You could also attach triggers to the event viewer,

  3. How would you modify this to read the Microsoft-Windows-TerminalServices-Gateway/Operational log? I’m not a programmer but I substituted “Gateway” for “LocalSessionManager” but no results. Thanks!

  4. Thanks so much! I just made it work by using the xml specific to the gateway. I suppose it would be too simple to have a consistent naming convention…

  5. Hi Mike. Thanks for the post, this is a great script. I ran this script with two different accounts that are part of the administrators group, but the outcome showed different results for each account. This is the only error I got:

    Get-WinEvent : The RPC server is unavailable
    At H:\Company Shared Folders\..\RDPConnectionParser.ps1:30 char:19
    + $AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
    nEventCommand

    Do you know if there is a specific firewall rule I need to enable on the remote RDS servers?

  6. And it looks like my first comment got lost as well while logging into Google+, so here it is again (sorry to bother you if I posted this more than one time):
    Thanks Mike! The RDP Connection sript is working like a charm! That saved me a lot of headaches, to easily get a simple but informative summary of RDP-sessions.

    By the way, it isn’t very wide spread, but I have got some information and a little batch s

  7. Pingback: PowerShell Scripts for your Exchange and Office 365 Toolkit
  8. Pingback: Digging into DDoS attacks * Best Wordpress Themes - Reviews
  9. Pingback: remote desktop – Digging into DDoS attacks | Asking
  10. Hi Mike, love this.
    Is there a way to limit to the last 30 days?
    Is there a way to just go to OU=Servers, and run on all there instead of inputting a few at a time?

  11. Hey Mike
    thanks, thanks, thanks
    for me you deserve an statue! and really deserve it with an engraving with the tittle “most valued” professional.

    I’ve spent hours on the internet hammering my head to get the IP adresses of users on my RDP!
    I got dozens of answers of installing (and purchasing) software, modify the GPO, enable logs, but for the sake of simplicity, how is that the servers logs so many (junk) varied registers, but cannot have the IP of the guy entering my server!

    and you have made it straightforward and easy.

    with all my emotion
    again thanks, thanks, thanks

    Blessings for you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s