Tracking Audits in a Terminal Server Environment

Subject:

Explains how Auditor tracks changes in a Terminal Server environment vs. a workstation.

More Information:

Auditor works the same in a Terminal Server environment as on a regular workstation.  When an audit occurs, it is logged into the Audit Log.  It tracks the User ID as well as the Workstation with each audit.  For example, if two users are on a Terminal Server, the audits will reflect the different User IDs, but record the same workstation (the Terminal Server).

When auditing at a SQL level, Auditor records the SQL login User ID (which could be a Windows Authenticated User ID or a SQL Server User ID), but the Workstation is NOT captured.  This is because Auditor cannot tell what Machine a SQL connection is made from.

The Auditor .cnk file must be installed on each Terminal Server and each workstation in order to track audits at the Window and Table levels.  However, once SQL Table audits are installed from anywhere, they track everyone regardless if they have the Auditor .cnk file installed or not.  This is because SQL Triggers are installed at the SQL database level, and do not rely on GP running at all.

Related Content