Today in a Session with a customer i came into the need to see which Users connected when and from which Ip Address to a specific Windows Terminalserver.

Sure you can click yourself a Filter together in Eventlog, but this little Powershell Script may be handy.

Get-WinEvent -Logname 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager'] and (EventID=1149)]]" | %{
        $event = [xml]$_.ToXML()
        [pscustomobject]@{'Time'=$_.TimeCreated;'Username'=$event.Event.UserData.EventXML.Param1;'Source-IP'=$event.Event.UserData.EventXML.Param3}
}
PowerShell

Login to the Terminalserver which you want to query, and execute the above script in Powershell. You’ll get a nice list with Timestamps, Usernames and the Source IP.