Did you ever feel suspicious that someone logged in? Or you just want to know who logged on the server from the console OR RDP. Event Log is your simple answer, but the harder part is to find the needle in the haystack. The quick answer to this discovery is Event ID 4624. If you are not seeing this Event ID, check your audit policy.
GUI method
Run Event Viewer.
- Click on “Security Logs”
- Click on “Filter Current Logs”
- Type in 4624 in “All Event ID’s”
- The filtered result is all logs that are related to login activity on your server.
- To further filter the noise look at the description and specifically look for LogonType.
- There are multiple LogonTypes and for Interactive Login Type is resembled by 2 and Type 10
Unfortunately, it can be difficult to go through each logs to find Type 2 and Type 10
PowerShell method
Powershell based queries can be a little better compared to GUI. Run Powershell from your server and run the following query.
Get-WinEvent -FilterHashtable @{Logname=’Security’;id=4624} | Where {$_.Properties[8].Value -match ‘2|10′} |Select TimeCreated, @{Name=’User’;Expression={$_.Properties[5].Value}}, @{Name=’Domain’;Expression={$_.Properties[6].Value}},@{Name=’Logon Type’;Expression={$_.Properties[8].Value}} |ft
The query has the potential to be filtered further to get even more data. And the report in the WinSignify App exactly does all the heavy lifting to get even a better report on the mobile app.
Winsignify method
This is the simplest method of all as you only need to tap 3 times to get your report.
- Download the app from
- Configure the Gateway Server. Just one Gateway can be used to manage hundreds of computers in your network.
- Once Logged in, Tap On Reports, Tap on Interactive Login. Done