Chris Stauffer at myITForum.com

You want me to do What?

This Blog

Syndication

Search

News

Navigation

Links to blogs i like

Links

MyITFORUM Live Support

Audit Remote Tool Usage in ConfigMgr 2007

At my job we Audit Remote Control so that if someone is somewhere they are not suppose to be there is a trail and proof.

I used John Nelson's tool to find the message codes I needed for SCCM

http://myitforum.com/cs2/blogs/jnelson/archive/2008/05/21/117428.aspx

Here are the Audit numbers for remote control functions in ConfigMgr 2007 SP1

The remote tools can be tracked by creating a new "Status Filter Rules" for the event ID's listed below. Set the Action to:

Report to the Event log
Replicate to the Parent Site

Replication Priority: Medium

Then we use a tool that tracks the event ID's that this generates on the Central site. Since Status messages are passed up to the parent site you only need to create the Status Filter Rules on the central site.

MessageID	MessageType	Source	Component	Example Description
30076	Audit	SMS Provider	Remote Tools Console	User "Domain\User" at "XXX" initiated Remote Control with "XXX".
30077	Audit	SMS Provider	Remote Tools Console	User "Domain\User" at "XXX" ended Remote Control with "XXX".
30084	Audit	SMS Provider	Remote Tools Console	User "Domain\User" at "xxx" started a Remote Tools session with "xxx".
30085	Audit	SMS Provider	Remote Tools Console	User "Domain\User" at "xxx" failed to start a Remote Tools session with "xxx". Solution: Verify that the Remote Tools Client Agent is installed on the client. If the agent is installed and you cannot start a Remote Tools session, use the "Show Status" command on Control Panel, Remote Tools on the client to verify that the Remote Control Agent is listening on the right protocol.
30090	Audit	SMS Provider	Remote Tools Console	User "Domain\User" at "xxx" is ending a Remote Tools session with "xxx".

In SMS 2.0 and 2003 there where additional numbers to be audited but i do not see those numbers in 2007 because the remote tool doesnt have the smae functionality that the old Remote.exe had so the other audit numbers may not be needed but i have attached the list incase you find that you need it.