RDP Connectivity Checklist
A structured check for RDP failures before changing firewall rules, user rights, or server policy.
Good For
- Windows Server RDP
- VPN access
- remote admin
- firewall path checks
How to Use It
- Confirm the target hostname resolves to the expected internal address.
- Test TCP 3389 from the same network path as the affected user.
- Confirm the user is allowed to sign in through Remote Desktop Services.
- Check recent Terminal Services events for disconnect, sign-in, or listener evidence. Use System events only when a broader host issue is suspected.
- Review session limits, NLA requirements, VPN split-tunnel behavior, and firewall scope before changing policy.
Execution Modes
- local
- remote-single-host
Inputs and Outputs
Inputs
- target hostname
- user account
- network path
- expected firewall scope
Outputs
- verbose-console
- operator-notes
Command Starter
Safe to run: read-only
# Test the user-facing TCP path from the affected network segment.
Test-NetConnection server.example.com -Port 3389
# Session enumeration can require administrative rights on the target.
qwinsta /server:server.example.com
# Review recent Remote Desktop operational events from the server.
Get-WinEvent -ComputerName server.example.com `
-LogName 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' `
-MaxEvents 50 |
Select-Object TimeCreated, Id, LevelDisplayName, MessageValidation
- TCP 3389 is reachable from the client path.
- The expected user can complete sign-in without policy or session-limit errors.
- Event logs stop recording the original connection failure.
Reporting
- record TCP reachability, session state, and event log findings
Safety Notes
- Check reachability and policy first.
- Avoid widening firewall scope until the current path is documented.