Windows Server 2008 HPC Edition 框会每隔几秒永久记录通过 RDP 连接到它的用户的登录和注销任务。有没有办法只记录用户发起的登录和注销事件?
典型的注销事件如下所示:
An account was logged off.
Subject:
Security ID: DOMAIN\USERX
Account Name: USERX
Account Domain: DOMAIN
Logon ID: 0x1c4f9eb
Logon Type: 3
典型的登录事件如下所示:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: DOMAIN\USERX
Account Name: USERX
Account Domain: DOMAIN
Logon ID: 0x1c54963
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: XX-YY
Source Network Address: -
Source Port: -
只有两个用户通过 RDP 连接,并且这种行为并不依赖于他们在服务器上执行任何特定操作。