# Auditing logon events

For Nexthink to report accurate logon times and logon durations, especially if you are using roaming user profiles in your Windows setup, configure the audit of logon events on all your devices. You can do so with the help of Active Directory by applying a GPO to the domain of your devices.

## Enabling the audit of logon events <a href="#auditinglogonevents-enablingtheauditoflogonevents" id="auditinglogonevents-enablingtheauditoflogonevents"></a>

To enable the audit of logon events:

1. Open the **Group Policy Management Console**.
2. Right-click the domain node of your devices and select the option **Create a GPO in this domain, and Link it here...**. A dialog box to create the new GPO shows up.
3. Type in the name of the GPO. For example, *Logon Audit Policy*.
4. Click **OK** and the new GPO appears in the tree.
5. Right-click the newly created GPO and select the option **Edit...**. The console displays the settings for the GPO.
6. Expand the node **Computer Configuration** and navigate to **Windows Settings / Security Settings / Local Policies / Audit Policy**.
7. Double-click the policy **Audit logon events**.
8. Check the **Success** and, optionally, the **Failure** options.
9. Click **OK** to save your changes.
10. Run the command **gupdate /force** to update the GPO.

The devices in the specified domain now record the logon events in the Security log.

## Overwriting or clearing events from the Security log <a href="#auditinglogonevents-overwritingorclearingeventsfromthesecuritylog" id="auditinglogonevents-overwritingorclearingeventsfromthesecuritylog"></a>

After you activate the audit of logon events, make sure that the Security log of Windows always has enough space to save new logon events. Set the properties of the Security log to perform an appropriate action when the maximum size of the log is reached:

* **Overwrite events as needed (oldest events first)**. *Recommended*.
* **Archive the log when full, do not overwrite events**.
* **Do not overwrite events (Clear logs manually)**.

Use the preferred first option to avoid problems with the size of the Security log.

If you choose the last option and the Security log runs out of space, you may no longer be able to log in to the device. Indeed, if the Security log is full and events are not overwritten, trying to write an audit logon event to the log fails, making the whole login procedure fail as well.

***

RELATED REFERENCE

* [Boot and logon duration](/platform/references/references-classic/database-information-and-organization-classic/boot-and-logon-duration-classic.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/installing-collector/windows-collector-references/auditing-logon-events.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.