Standard

Posted by

Posted on

April 8, 2015

Posted under

IT - Information Technology

Comments

39 Comments

A New and an Updated PowerShell Script

NOTE: Updated November 2016 to include -ServersToQuery and -StartTime and parameters.

e.g.

.\RDPConnectionParser.ps1 -ServersToQuery Server1, Server2 -StartTime "November 1"

————————–

Hey everyone, yes I’m still alive!

Connection Report for Remote Desktop 

I wrote a script that connects to one or multiple servers and captures Remote Desktop logons, disconnects, reconnects and logoffs along with the connecting IP:

Feb 2021 Edit:
Microsoft finally took down the TechNet Gallery. This script is now available on GitHub: https://github.com/Mike-Crowley/Public-Scripts/blob/main/RDPConnectionParser.ps1

Download RDPConnectionParser.ps1 here

Recipient Address Report (Formally ProxyAddressCount)

I also updated the “Exchange Proxy Address (alias) Report” script.  It now includes a few environment metrics, as well as the regular CSV-style output:

Download the updated script here

Feb 2021 Edit:
Microsoft finally took down the TechNet Gallery. This script is now available on GitHub: https://github.com/Mike-Crowley/Public-Scripts/blob/main/RecipientReportv5.ps1

39 thoughts on “A New and an Updated PowerShell Script

  1. A friend has enabled RDP to his home computers thru port forwarding on his router. I’d like him to see if rogue RDP logon attempts have failed on his Windows 7 & 8 home computers. Can your script be run on a Windows 7 or 8 host to make a quick report of failed RDP login attempts?

    Reply

    • I think it should work on Win7, but I haven’t tested it. In that same log, look for event 1012. It will state “remote session from client name exceeded the maximum failed logon attempts” or something like that, but I don’t believe it records the IP if a session isn’t successful. I would suggest your friend configure RDP on an alternate port, as exposing 3389 to the internet is a big risk, especially since Win7 doesn’t lock out accounts by default.

      Reply

      • Dear Mike,

        I am new to learn to PowerShell , how do i run on my windows server 2016. could you please send me the steps to run windows server 2016.

  2. Mike,

    I want to monitor the sessions getting created on my RD Server. Want to see when my employees logged in and logged out. Will the script be able to capture the information? Could you please guide something?

    Regards,

    Reply

    • The script does report the information you’re looking for, but it would need to schedule it to run regularly. You could also attach triggers to the event viewer,

      Reply

  3. How would you modify this to read the Microsoft-Windows-TerminalServices-Gateway/Operational log? I’m not a programmer but I substituted “Gateway” for “LocalSessionManager” but no results. Thanks!

    Reply

  4. Thanks so much! I just made it work by using the xml specific to the gateway. I suppose it would be too simple to have a consistent naming convention…

    Reply

  5. Hi Mike. Thanks for the post, this is a great script. I ran this script with two different accounts that are part of the administrators group, but the outcome showed different results for each account. This is the only error I got:

    Get-WinEvent : The RPC server is unavailable
    At H:\Company Shared Folders\..\RDPConnectionParser.ps1:30 char:19
    + $AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
    nEventCommand

    Do you know if there is a specific firewall rule I need to enable on the remote RDS servers?

    Reply

  6. And it looks like my first comment got lost as well while logging into Google+, so here it is again (sorry to bother you if I posted this more than one time):
    Thanks Mike! The RDP Connection sript is working like a charm! That saved me a lot of headaches, to easily get a simple but informative summary of RDP-sessions.

    By the way, it isn’t very wide spread, but I have got some information and a little batch s

    Reply
  7. Pingback: PowerShell Scripts for your Exchange and Office 365 Toolkit
  8. Pingback: Digging into DDoS attacks * Best Wordpress Themes - Reviews
  9. Pingback: remote desktop – Digging into DDoS attacks | Asking

  10. Hi Mike, love this.
    Is there a way to limit to the last 30 days?
    Is there a way to just go to OU=Servers, and run on all there instead of inputting a few at a time?

    Reply

  11. Hey Mike
    thanks, thanks, thanks
    for me you deserve an statue! and really deserve it with an engraving with the tittle “most valued” professional.

    I’ve spent hours on the internet hammering my head to get the IP adresses of users on my RDP!
    I got dozens of answers of installing (and purchasing) software, modify the GPO, enable logs, but for the sake of simplicity, how is that the servers logs so many (junk) varied registers, but cannot have the IP of the guy entering my server!

    and you have made it straightforward and easy.

    with all my emotion
    again thanks, thanks, thanks

    Blessings for you!

    Reply

  12. Hi,
    I’m using the RDPConnectionParser.ps1 to notify me of all RDP logon/logoff activity for a specific user. I have noticed that there are many logon,disconnected, and reconnection in a short time span. I’m wondering if the user is actually performing this many logon and logoff actions or if maybe I’m misreading the report. Below is a sample.

    “11/6/2018 8:50:47 AM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddress123″,”logon”
    “11/6/2018 9:02:38 AM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddress123″,”disconnected”
    “11/6/2018 9:03:02 AM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddress123″,”reconnection”
    “11/6/2018 9:28:25 AM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddress123″,”disconnected”
    “11/6/2018 11:49:34 AM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddressXYZ”,”reconnection”
    “11/6/2018 12:05:02 PM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddressXYZ”,”disconnected”
    “11/6/2018 12:06:29 PM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddressXYZ”,”reconnection”
    “11/6/2018 12:22:59 PM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddressXYZ”,”disconnected”
    “11/6/2018 12:24:01 PM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddressXYZ”,”reconnection”
    “11/6/2018 12:29:34 PM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddressXYZ”,”disconnected”
    “11/6/2018 12:30:18 PM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddressXYZ”,”reconnection”
    “11/6/2018 12:39:08 PM”,”ABC-SERVER\abcuser”,”localhost”,”IPAddressXYZ”,”disconnected”

    Reply

    • You can review the event log yourself (eventvwr) to confirm. The script simply pulls from there. It could be a client with an unreliable network connection, but more context and investigation would be necessary.

      Reply

  13. First, I would like to say thank you for putting this together. This gives me a quick idea of how many people I have logging into the RDS servers.
    Can I suggest adding event ids 41 and 42 for clustered rds servers?
    if ($_.EventID -eq ’41’){“Begin Session”}
    if ($_.EventID -eq ’42’){“End Session”}
    At row 65

    I am not sure how to grab the cluster name but if you can grab that and add it to the export I think it would be helpful as well.

    Reply

  14. Thank you so much for this script. It is exactly what I was looking for. When running the script using : ./RDPConnectionParser.ps1 -ServersToQuery ServerName -StartTime “February 2, 2019”
    I only get the results of the current day (4 Feb)

    Reply

  15. Hi, thank you very much for RDPConnectionParser – great work 🙂 Since i am using Linux-Servers in most cases, i would like to export the results of RDPConnectionParser in a MySQL Database. Do you have a hint how to do this?

    Reply

  16. Hi, thank you very much for RDPConnectionParser – great work 🙂 Since i am using Linux-Servers in most cases, i would like to export the results of RDPConnectionParser in a MySQL Database. Do you have a hint how to do this?

    Reply

  19. this script “Connection Report for Remote Desktop” is useful, but one improvement is needed:
    it doesn’t support Unicode usernames or PC names when writes into the output file. Can you make such edit please?

    Reply

  20. Hello 🙂

    How would I modify the ‘StartTime’ parameter to increment by a day? I don’t have the StartTime variable in my batch file, but it will only pull back the day specified and so I need to have it so that the scheduled task pulls back the correct days logs each day, until specified otherwise :).

    Thanks!

    Reply

  21. Hi Mike,

    Thanks for the script, its awesome!

    I’m looking to make an admentment so I can use it with a scheduled task to pull back the days logon/logoff stats for each day that it is running. Is there a way of substituting the value of -StartTime to be something like ‘Get-Date’ to pull back the relevant results?

    Thanks! Dan

    Reply

  22. Say, for example, I’ve got an image file of a drive and I mount the image as drive letters. How can I run this on the mounted drive?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s