If you’ve ever had to troubleshoot problems in Remote Desktop Servers in a busy environment it can be maddening. When you have a lot of users it can be difficult to track down the problem. In an RDP/Terminal Services environment, sometimes the most import thing is to identify a specific users Logon, Logoff, and Disconnect events. Initially it may seem that there’s not clear Remote Desktop Services logging. But it is there, it’s just buried in the Event Log. Here’s how to find and decipher Remote Desktop Services Logging.
Finding Remote Desktop Services Logging
Open Event Viewer, expand Applications and Services Logs, expand Microsoft, expand TerminalServices-LocalSessionManager, select Operations.
In this log you’ll see all of the Remote Desktop Services logging events for this machine.
In Windows Server 2008, navigate to Event Viewer, Applications and Services Logs, Microsoft, Windows, TerminalServices-LocalSessionManager
Understanding Remote Desktop Services Logging
Within the TerminalServices-LocalSessionManager Operations log you’ll find a number of helpful log events. Here are the important ones to help with troubleshooting.
- Event ID 21: User Logon – This event happens when a user logs into the server or desktop via Remote Desktop Services. The client IP address and username is captured.
- Event ID 23: User Logoff – This event occurs when a user logs off from a Remote Desktop Services session on a server or desktop.
- Event ID 24: User Disconnect – This happens when a user’s client is disconnected from the server. This can happen if there’s a network disruption, something on the server causes a disconnect, or if the user just closes the client without logging out.