Enable Workstation Logon Audit Policy in Order to Collect Top Console User Details

Last month I was asked how to get top console user details into a report. My first answer was to tell them to enable the Asset Intelligence (AI) class. However this was already done, so I asked if the auditing policy was enabled. It wasn’t.

If you want to capture the top console user details into System Center Configuration Manager Current Branch (SCCM or CMCB) or System Center 2012 Configuration Manager (CM12) or CM07, which is particularly useful for reporting, you need to enable the logon auditing policy.

Here are steps to enable it within your domain.

Enable Workstation Logon Audit Policy-Group Policy Management

Open Group Policy Management.

Enable Workstation Logon Audit Policy-Create a GPO

Right-click on the domain, in my case it is gartek.tst, then click Create a GPO in this domain, and Link it here

Enable Workstation Logon Audit Policy-Enter GPO Name

Enter CM12 Console Logon Audit and click OK.

Enable Workstation Logon Audit Policy-Edit

Right click CM12 Console Logon Audit and click Edit…

Enable Workstation Logon Audit Policy-Audit Logon Events

Expand Computer Configuration | Policies | Windows Settings | Security Settings and Audit Policy. In the results pane, double-click Audit logon events.

Enable Workstation Logon Audit Policy-Properties

Select Define these policy settings and ensure that the Success check box is selected. Next click OK. Finally, close Group Policy Management Editor.

Enable Workstation Logon Audit Policy-Enforced

Right click CM12 Console Logon Audit and click Enforced.

Now assuming that you have enabled the SMS_SystemConsoleUsage and SMS_SystemConsoleUser, top console user details will be available in SCCM / CM12 / CM07 for use by the application model, collections and where I use it the most, reporting.

Enable Workstation Logon Audit Policy-Edit Inventory Classes

Leave a Comment

Share via
Copy link