Back to blog

How to Tell Who Interactively Logged On to Your Server

3 min read By Signifium

Guides

Windows ServerEvent ID 4624securitylogonRDP

Knowing who logged on to a server interactively (console or RDP) is essential for security and compliance. Whether you’re investigating a suspicious login or auditing access, the Windows Security event log holds the answer—but finding the right events can feel like searching for a needle in a haystack. The key is Event ID 4624 and the LogonType field. If you don’t see 4624 in your Security log, enable or check your audit policy first.

GUI method

Run Event Viewer.

  • There are multiple LogonTypes and for Interactive Login Type is resembled by 2 and Type 10
  • To further filter the noise look at the description and specifically look for LogonType.
  • The filtered result is all logs that are related to login activity on your server.
  • Type in 4624 in “All Event ID’s”
  • Click on “Filter Current Logs”
  • Click on “Security Logs”

Unfortunately, it can be difficult to go through each log to find Type 2 and Type 10.

PowerShell method

Powershell based queries can be a little better compared to GUI. Run Powershell from your server and run the following query.

Get-WinEvent -FilterHashtable @{Logname='Security';id=4624} | Where {$_.Properties[8].Value -match '2|10'} |Select TimeCreated, @{Name='User';Expression={$_.Properties[5].Value}}, @{Name='Domain';Expression={$_.Properties[6].Value}},@{Name='Logon Type';Expression={$_.Properties[8].Value}} |ft

The query has the potential to be filtered further to get even more data. And the report in the WinPulse app exactly does all the heavy lifting to get even a better report on the mobile app.

WinPulse method

This is the simplest method of all: tap three times to get your report.

  • Once logged in, tap Reports, then Interactive Login. Done.
  • Configure the Gateway Server once; one gateway can manage hundreds of computers.
  • Download the app from the WinPulse product page.

Best Practices

  • Enable Security auditing — Ensure “Audit logon events” (success and failure) is enabled so 4624 events are recorded.
  • Retain logs long enough — Set Security log size and retention so you can look back when investigating incidents.
  • Filter by LogonType — Use LogonType 2 (interactive) and 10 (RemoteInteractive/RDP) to focus on console and RDP logons; ignore network/service logons unless needed.
  • Centralize when possible — Use SIEM or monitoring tools to aggregate 4624 across servers for faster investigation.

FAQ

What is Event ID 4624?
4624 is the Windows Security event that records a successful logon. The event details include the account, logon type, and source; LogonType tells you whether it was console (2) or RDP (10).

Why don’t I see 4624 in the Security log?
Audit policy may not be enabled. Enable “Audit logon events” (success and failure) in Group Policy or Local Security Policy so 4624 events are generated.

What’s the difference between LogonType 2 and 10?
Type 2 = interactive (physical console); Type 10 = RemoteInteractive (RDP). Both represent a user sitting at a session; filter for 2 and 10 to see who actually “logged on” to the machine.

Related reading
See JEA and Active Directory for securing privileged access, and 10 Common AD Tasks for speeding up daily AD work.

For interactive login reports and Windows Server monitoring from your phone, see WinPulse.