Auditing logon events

Auditing logon events

For Nexthink to report accurate logon times and logon durations, especially in the case that you use roaming user profiles in your Windows setup, configure the audit of logon events in all your devices. You can do so with the help of Active Directory by applying a GPO to the domain of your devices.

Enabling the audit of logon events

To enable the audit of logon events:

  1. Open the Group Policy Management Console.
  2. Right-click the domain node of your devices and select the option Create a GPO in this domain, and Link it here.... A dialog to create the new GPO shows up.
  3. Type in the name of the GPO. For example, Logon Audit Policy.
  4. Click OK and the new GPO appears in the tree.
  5. Right-click the newly created GPO and select the option Edit.... The console displays the settings for the GPO.
  6. Expand the node Computer Configuration and navigate to Windows Settings / Security Settings / Local Policies / Audit Policy.
  7. Double-click the policy Audit logon events.
  8. Check the Success and, optionally, the Failure options.
  9. Click OK to save your changes.
  10. Run the command gupdate /force to update the GPO.

The devices in the specified domain now record the logon events in the Security log.

Overwriting or clearing events from the Security log

After you activate the audit of logon events, make sure that the Security log of Windows always has enough space to save new logon events. Set the properties of the Security log to perform an appropriate action when the maximum size of the log is reached:

  • Overwrite events as needed (oldest events first). Recommended.
  • Archive the log when full, do not overwrite events.
  • Do not overwrite events (Clear logs manually).

Use the preferred first option to avoid problems with the size of the Security log.

If you choose the last option and the Security log runs out of space, you may no longer be able to log in to the device. Indeed, if the Security log is full and events are not overwritten, trying to write an audit logon event to the log fails, making the whole login procedure fail as well.

Related references