To verify that the Workstation logon agent has been deployed to a machine, confirm that the GPO configured to install the agent has been applied to the machine. If the agent has been successfully installed the following files will exist under C:\Program Files (x86)\Quest\Active Administrator\Workstation Logon Audit Agent:
- AAEventDefinitions.xml
- AAWkstnSvc.exe
- SLAgentSvc.log
The following reg key should also exist:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Quest Software\Active Administrator\Settings
The values under this key should be:
- AFSPort - 15601
- AFSServer - AFS Server name
- EnableWorkstationAuditAgent - 1
In the AA console use the User Logon Activity Screen under Security & Delegation to confirm there are known logon events for that machine. You can also use the User Logon Activity report found under Auditing & Alerting | Audit Reports.