Audit RDG Connections

Don’t get confused, RDG in the acronym for “Remote Desktop Gateway“, formerly known as TSG (Terminal Service Gateway) that is the endpoint of encapsulated remote desktop’s connections through a HTTPS tunnel. To get the history of remote desktop accesses via the gateway, you can do:

# Extract info from logs            
$RDGevents = Get-WinEvent -FilterHashtable @{Logname = "Microsoft-Windows-TerminalServices-Gateway/Operational" ; ID = "303","302","202","307"} -ErrorAction SilentlyContinue            
            
$eventsar = @()            
foreach ($event in $RDGevents)            
{            
    $eventtype = $type = $null            
    # http://technet.microsoft.com/en-us/library/ee891388%28WS.10%29.aspx            
    switch ($event.ID)            
    {            
     303 { $eventtype = "disconnect" }            
     307 { $eventtype = "disconnect at timeout" }            
     202 { $eventtype = "disconnected by admin" }            
     302 { $eventtype = "connect" }            
     } # end of switch                
            
            
    $eventsar += New-Object -TypeName PSObject -Property @{            
                    RDGServerName = $env:computername            
                    UserName = $event.Properties[0].Value            
                    IpAddress = [net.ipaddress]$event.Properties[1].Value            
                    Resource = $Event.Properties[3].Value            
                    TimeCreated = $event.TimeCreated            
                    Result = $eventtype            
                }            
}                        
            
# Display results            
$eventsar | Sort-Object -Descending:$false -Property TimeCreated | Format-Table -AutoSize -Wrap
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s