Mds.PowerShell.SessionTracker

26.160.2

Mds.PowerShell.SessionTracker.dll-Help.xml

<?xml version="1.0" encoding="utf-8"?>
<helpItems schema="maml" xmlns="http://msh">
  <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">
    <command:details>
      <command:name>Get-MdsUserSessionTracking</command:name>
      <command:verb>Get</command:verb>
      <command:noun>MdsUserSessionTracking</command:noun>
      <maml:description>
        <maml:para>Traces an RDS user session from RD Gateway events to session-host events.</maml:para>
      </maml:description>
    </command:details>
    <maml:description>
      <maml:para>`Get-MdsUserSessionTracking` queries Windows event logs on RD Gateway and Remote Desktop Session Host servers, filters events for the requested user identity, and correlates them into session tracking records.</maml:para>
      <maml:para>The cmdlet does not use the ActiveDirectory module. Provide gateway names with `-GatewayComputerName` and, when gateway events do not contain the redirected host name, provide RDS host names with `-SessionHostComputerName`.</maml:para>
      <maml:para>Queried logs include `Microsoft-Windows-TerminalServices-Gateway/Operational`, `Microsoft-Windows-TerminalServices-LocalSessionManager/Operational`, and `Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational`.</maml:para>
    </maml:description>
    <command:syntax>
      <command:syntaxItem>
        <maml:name>Get-MdsUserSessionTracking</maml:name>
        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue, ByPropertyName)" position="0" aliases="none">
          <maml:name>Identity</maml:name>
          <maml:description>
            <maml:para>User identity to trace. Values can be supplied as `samAccountName`, `DOMAIN\samAccountName`, or UPN-style strings. Matching is based on event data and event messages.</maml:para>
          </maml:description>
          <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
          <dev:type>
            <maml:name>String[]</maml:name>
            <maml:uri />
          </dev:type>
          <dev:defaultValue>None</dev:defaultValue>
        </command:parameter>
        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Gateway, GatewayServer">
          <maml:name>GatewayComputerName</maml:name>
          <maml:description>
            <maml:para>RD Gateway computer names to query. Defaults to the local computer.</maml:para>
          </maml:description>
          <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
          <dev:type>
            <maml:name>String[]</maml:name>
            <maml:uri />
          </dev:type>
          <dev:defaultValue>.</dev:defaultValue>
        </command:parameter>
        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="SessionHost, HostComputerName">
          <maml:name>SessionHostComputerName</maml:name>
          <maml:description>
            <maml:para>RDS session host computer names to query. If omitted, the cmdlet attempts to infer session hosts from gateway event resource fields.</maml:para>
          </maml:description>
          <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
          <dev:type>
            <maml:name>String[]</maml:name>
            <maml:uri />
          </dev:type>
          <dev:defaultValue>None</dev:defaultValue>
        </command:parameter>
        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
          <maml:name>StartTime</maml:name>
          <maml:description>
            <maml:para>Start of the event search window. Defaults to seven days before the current time.</maml:para>
          </maml:description>
          <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue>
          <dev:type>
            <maml:name>DateTime</maml:name>
            <maml:uri />
          </dev:type>
          <dev:defaultValue>DateTime.Now.AddDays(-7)</dev:defaultValue>
        </command:parameter>
        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
          <maml:name>EndTime</maml:name>
          <maml:description>
            <maml:para>End of the event search window. Defaults to the current time.</maml:para>
          </maml:description>
          <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue>
          <dev:type>
            <maml:name>DateTime</maml:name>
            <maml:uri />
          </dev:type>
          <dev:defaultValue>DateTime.Now</dev:defaultValue>
        </command:parameter>
        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
          <maml:name>CorrelationWindowMinutes</maml:name>
          <maml:description>
            <maml:para>Additional minutes before and after gateway session boundaries used when correlating session-host events.</maml:para>
          </maml:description>
          <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue>
          <dev:type>
            <maml:name>Int32</maml:name>
            <maml:uri />
          </dev:type>
          <dev:defaultValue>30</dev:defaultValue>
        </command:parameter>
      </command:syntaxItem>
    </command:syntax>
    <command:parameters>
      <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByValue, ByPropertyName)" position="0" aliases="none">
        <maml:name>Identity</maml:name>
        <maml:description>
          <maml:para>User identity to trace. Values can be supplied as `samAccountName`, `DOMAIN\samAccountName`, or UPN-style strings. Matching is based on event data and event messages.</maml:para>
        </maml:description>
        <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
        <dev:type>
          <maml:name>String[]</maml:name>
          <maml:uri />
        </dev:type>
        <dev:defaultValue>None</dev:defaultValue>
      </command:parameter>
      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Gateway, GatewayServer">
        <maml:name>GatewayComputerName</maml:name>
        <maml:description>
          <maml:para>RD Gateway computer names to query. Defaults to the local computer.</maml:para>
        </maml:description>
        <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
        <dev:type>
          <maml:name>String[]</maml:name>
          <maml:uri />
        </dev:type>
        <dev:defaultValue>.</dev:defaultValue>
      </command:parameter>
      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="SessionHost, HostComputerName">
        <maml:name>SessionHostComputerName</maml:name>
        <maml:description>
          <maml:para>RDS session host computer names to query. If omitted, the cmdlet attempts to infer session hosts from gateway event resource fields.</maml:para>
        </maml:description>
        <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
        <dev:type>
          <maml:name>String[]</maml:name>
          <maml:uri />
        </dev:type>
        <dev:defaultValue>None</dev:defaultValue>
      </command:parameter>
      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
        <maml:name>StartTime</maml:name>
        <maml:description>
          <maml:para>Start of the event search window. Defaults to seven days before the current time.</maml:para>
        </maml:description>
        <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue>
        <dev:type>
          <maml:name>DateTime</maml:name>
          <maml:uri />
        </dev:type>
        <dev:defaultValue>DateTime.Now.AddDays(-7)</dev:defaultValue>
      </command:parameter>
      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
        <maml:name>EndTime</maml:name>
        <maml:description>
          <maml:para>End of the event search window. Defaults to the current time.</maml:para>
        </maml:description>
        <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue>
        <dev:type>
          <maml:name>DateTime</maml:name>
          <maml:uri />
        </dev:type>
        <dev:defaultValue>DateTime.Now</dev:defaultValue>
      </command:parameter>
      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
        <maml:name>CorrelationWindowMinutes</maml:name>
        <maml:description>
          <maml:para>Additional minutes before and after gateway session boundaries used when correlating session-host events.</maml:para>
        </maml:description>
        <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue>
        <dev:type>
          <maml:name>Int32</maml:name>
          <maml:uri />
        </dev:type>
        <dev:defaultValue>30</dev:defaultValue>
      </command:parameter>
    </command:parameters>
    <command:inputTypes />
    <command:returnValues>
      <command:returnValue>
        <dev:type>
          <maml:name>Mds.PowerShell.SessionTracker.MdsUserSessionTracking</maml:name>
        </dev:type>
        <maml:description>
          <maml:para>The output includes `StartTime`, `EndTime`, `Duration`, `Gateway`, `SessionHost`, `ClientAddress`, `SessionId`, `DisconnectReason`, gateway/session-host milestone times, and the raw correlated `Events` collection.</maml:para>
        </maml:description>
      </command:returnValue>
    </command:returnValues>
    <maml:alertSet>
      <maml:alert>
        <maml:para>Remote event log access requires permissions to read the target logs and firewall/RPC access to the remote Event Log service.</maml:para>
      </maml:alert>
    </maml:alertSet>
    <command:examples>
      <command:example>
        <maml:title>------ Example 1: Trace a user through the local gateway ------</maml:title>
        <dev:code>Get-MdsUserSessionTracking -Identity skaplan1</dev:code>
        <dev:remarks>
          <maml:para>Queries the local computer as the gateway and returns matching sessions from the last seven days.</maml:para>
        </dev:remarks>
      </command:example>
      <command:example>
        <maml:title>Example 2: Trace a user with explicit gateways and session hosts</maml:title>
        <dev:code>Get-MdsUserSessionTracking -Identity skaplan1 -GatewayComputerName rdgw01,rdgw02 -SessionHostComputerName rdsh01,rdsh02</dev:code>
        <dev:remarks>
          <maml:para>Queries the specified gateways and session hosts.</maml:para>
        </dev:remarks>
      </command:example>
      <command:example>
        <maml:title>---------- Example 3: Trace sessions in a time window ----------</maml:title>
        <dev:code>Get-MdsUserSessionTracking -Identity skaplan1 -GatewayComputerName rdgw01 -StartTime '2026-06-01 08:00' -EndTime '2026-06-01 18:00'</dev:code>
        <dev:remarks>
          <maml:para>Limits event-log queries to the specified time range.</maml:para>
        </dev:remarks>
      </command:example>
    </command:examples>
    <command:relatedLinks />
  </command:command>
</helpItems>