You need to audit logon success if you want the Top Console User in AI. Garth Jones just did a post about it: http://myitforum.com/myitforumwp/2014/07/29/enable-workstation-logon-audit-policy-in-order-to-collect-top-console-user-details/
Also, many security guidelines around various compliance laws have logon success and failure logging listed. I recall going through a SOX audit years ago we had to have those set. Not sure about HIPPA or other laws. Jim From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Ratliff Sent: Wednesday, July 30, 2014 9:47 AM To: [email protected] Subject: [mssms] RE: Security event logging The overhead is too much, we only audit when necessary. Usually for cases with Microsoft. Daniel Ratliff From: <mailto:[email protected]> [email protected] [ <mailto:[email protected]> mailto:[email protected]] On Behalf Of Ewing, Scott L Sent: Wednesday, July 30, 2014 9:44 AM To: <mailto:[email protected]> [email protected] Subject: [mssms] RE: Security event logging I’m interested in what people are auditing on the workstations, not servers. From: <mailto:[email protected]> [email protected] [ <mailto:[email protected]> mailto:[email protected]] On Behalf Of Ewing, Scott L Sent: Wednesday, July 30, 2014 9:40 AM To: <mailto:[email protected]> [email protected] Subject: [mssms] Security event logging How do you have your Windows security event log audit policy configured? Which categories do you have enabled for success logging? How about failure logging? What is the “best practice”? Thanks! The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.
