> For the complete documentation index, see [llms.txt](https://docs.nexthink.com/platform/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/installing-collector/windows-collector-references/auditing-logon-events.md).

# Auditing logon events

For Nexthink to report accurate logon times and logon durations, especially if you are using roaming user profiles in your Windows setup, configure the audit of logon events on all your devices. You can do so with the help of Active Directory by applying a GPO to the domain of your devices.

## Enabling the audit of logon events <a href="#auditinglogonevents-enablingtheauditoflogonevents" id="auditinglogonevents-enablingtheauditoflogonevents"></a>

To enable the audit of logon events:

1. Open the **Group Policy Management Console**.
2. Right-click the domain node of your devices and select the option **Create a GPO in this domain, and Link it here...**. A dialog box to create the new GPO shows up.
3. Type in the name of the GPO. For example, *Logon Audit Policy*.
4. Click **OK** and the new GPO appears in the tree.
5. Right-click the newly created GPO and select the option **Edit...**. The console displays the settings for the GPO.
6. Expand the node **Computer Configuration** and navigate to **Windows Settings / Security Settings / Local Policies / Audit Policy**.
7. Double-click the policy **Audit logon events**.
8. Check the **Success** and, optionally, the **Failure** options.
9. Click **OK** to save your changes.
10. Run the command **gupdate /force** to update the GPO.

The devices in the specified domain now record the logon events in the Security log.

## Overwriting or clearing events from the Security log <a href="#auditinglogonevents-overwritingorclearingeventsfromthesecuritylog" id="auditinglogonevents-overwritingorclearingeventsfromthesecuritylog"></a>

After you activate the audit of logon events, make sure that the Security log of Windows always has enough space to save new logon events. Set the properties of the Security log to perform an appropriate action when the maximum size of the log is reached:

* **Overwrite events as needed (oldest events first)**. *Recommended*.
* **Archive the log when full, do not overwrite events**.
* **Do not overwrite events (Clear logs manually)**.

Use the preferred first option to avoid problems with the size of the Security log.

If you choose the last option and the Security log runs out of space, you may no longer be able to log in to the device. Indeed, if the Security log is full and events are not overwritten, trying to write an audit logon event to the log fails, making the whole login procedure fail as well.

***

RELATED REFERENCE

* [Boot and logon duration](/platform/references/references-classic/database-information-and-organization-classic/boot-and-logon-duration-classic.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/installing-collector/windows-collector-references/auditing-logon-events.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.