i´m investigating a weird issue: someone send me a screen capture of an AD DC showing two regular users with "session initiated" status in the welcome screen of a AD DC.
The screen captures shows a "square" simbol, in the upper line the DOMAIN\LOGIN_NAME and below the "Session Initiated" message.
Makes no sense, because i´ve checked and double-checked, this regular users does not have rights or privileges to logon (nor locally nor RDP) in AD DCs. The AD DC is a VM, no local logon could occur without access to the Hyper-V (Workgroup machine), so maybe it could be a RDP remote logon. There are events 4624 with logon type = 3 (network login) and as far as i know, the RDP logon it will shown a logon type = 10
I know this screen, look exactly like someone doing a RDP local or remote login via RDP, disconnect the session and the session looks like initiaed by someone else. The person who gave me this screen capture couldn´t login and see the users tab on task manager to make sure that there was a disconnected session
what chain of events could cause a user to appear to be logged on a DC, generating a "session initiaed" message on welcome screen? As far as i know, event sessions to mapped drive letters, printing and other network activities couldn´t cause the "session initiated" to appear in welcome screen of the AD DC