Audit logon events

This security setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer.

Log off events are generated whenever a logged on user account's logon session is terminated. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Audit Policy



Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

Audit Policy security settings are not registry keys.

Reboot required: 


Related content