How to create an alert for Remote Desktop logon attempts to domain controllers

How to create an alert for Remote Desktop logon attempts to domain controllers

Objective   

This article explains how to configure a real-time alert in ADAudit Plus to notify you of both successful and failed Remote Desktop (Remote Interactive) logon attempts to your domain controllers (DCs). 

Prerequisites   

  • You must have access to the ADAudit Plus web console with an administrator account or a technician account that has permissions to create alert profiles.

  • Your on-premises DCs must be configured in ADAudit Plus and successfully collecting security logs.

  • If you wish to receive notifications, the relevant services must be configured:

    • Email: SMTP server settings must be configured under Admin > General Settings > Server Settings.

    • SMS: Your SMS provider must be configured under Admin > General Settings > Server Settings > SMS.

    • Tickets: Your ticketing tool must be integrated under Admin > Configuration > Ticketing system Integration.

 Steps to follow   

  1. Log in to the ADAudit Plus web console.
  2. Navigate to the Alerts tab, then click New Alert Profile.

  3. Enter a relevant Name and Description for the alert (e.g., "RDP Logon Attempts to DCs").

  4. In the Report Profiles field, click the + symbol.

  5. In the Select Report Profile window, configure the following:

    • Domain: Select your on-premises domain.

    • Category: Choose Local Logon-Logoff.

    • Report Profile: Select both the Local Logon Failures for Computers and Local Logon Success for Computers report profiles, then click OK.

  1. Under Advanced Configuration, check the Filter box.

  2. Configure the filters to define the specific conditions for the alert:

    • Filter 1 (Specify DCs): Set the first filter to: Where | equals | [Click Add and select all your Domain Controllers].

    • Filter 2 (Specify RDP Logon): Click the plus icon (+) to add another filter with the AND operator. Set it to: Logon Type | contains | Remote Interactive.


  1. In the Alert Actions section, enable your desired notification methods, such as E-mail Notification, SMS Notification, or Configure Auto Ticketing.

  2. Click Save to activate the alert profile.

 Validation and confirmation   

  • Simulate the event: Attempt to log on to one of your DCs via Remote Desktop. First, try with an incorrect password, then with a correct one.
  • Check the console: In the ADAudit Plus Alerts tab, verify that new alerts from this profile have been triggered for both the failed and successful logon attempts.

  • Verify notifications: Confirm that you have received the alerts via email or any other notification channel you configured. 

 Tips   

  • Remote Desktop Protocol (RDP) access to domain controllers should be strictly controlled. Any alert from this profile, especially for a failed logon, may indicate a security threat and should be investigated immediately.

  • To prioritize investigations, consider creating a separate, higher-severity alert profile that triggers only on failed RDP logon attempts. 


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products