Access Denied: Understanding Event IDs 683 and 682
Learn the significance of disconnecting from and reconnecting to winstation sessions.
March 16, 2003
Some of our Windows 2000 Server Security logs show frequent occurrences of event ID 683 (session disconnected from winstation) followed by event ID 682 (session reconnected to winstation). What are these events, and what do they signify?
These events correspond to a user disconnecting from and reconnecting to a Win2K Server Terminal Services session. Say that Bob, sitting at workstation A, uses Terminal Services to log on to a server, thus initiating a Terminal Services session on the server. If Bob later disconnects from the session instead of logging off, his remote desktop session remains active and the applications he's opened remain open. After disconnecting, Bob can reconnect from workstation A or any other Terminal Servicesequipped workstation and pick up where he left off. When he reconnects, the remote desktop on the server is unchanged.
Win2K logs event ID 683, which Figure 2 shows, when Bob disconnects from his Terminal Services session. The OS logs event ID 682, which Figure 3 shows, when Bob reconnects to the session. The ability to reconnect to an existing session from other workstations is useful if Bob's workstation crashes or he needs to change locations without closing down his remote desktop session on the server.
About the Author
You May Also Like