We have a pool of develop machines where developers log in through RDP and usually they doesn't log off but just disconnect. As local administrator I can force the log off but I would like to check when the user disconnected.
From task manager I can see only the user name and its status
Is there a way to discover when the user disconnected using task manager, powershell, cmd or whatever?
You can use windows command query user UserName /server:ServerName or you can just enter query user /server:ServerName to find out all active or disconnected sessions.
Below is the sample output, I have blurred out my info for privacy:
I have also created a PowerShell script to do this task automatically, here is the link Powershell to find out disconnected RDP session and log off at the same time
As far as I know this is not in the security logs. The correct place to look for is in Microsoft Event Viewer under Applications and Services Logs => Microsoft => Windows => TerminalServices-LocalSessionManager => Operational and then under the Operational logs.
The eventID to look for is ID24 (disconnected user session). EventID 25 is a reconnect.
You can start the Windows Event Viewer and check under Windows logs --> Security. Filter by 'Task Category = Logoff'.
You can export it to xml for easier reading.
Start-->Run-->Eventvwr-->Windows logs-->Security. Filter by 'Task Category = Logoff'
