戻る
-
タイトル
How to verify the Workstation Logon Audit agent has been successfully deployed using a GPO? -
説明
How can we confirm the Workstation Logon Audit agent has been deployed to the workstations? -
対策
To verify that the Workstation logon agent has been deployed to a machine, confirm that the GPO configured to install the agent has been applied to the machine. If the agent has been successfully installed the following files will exist under C:\Program Files (x86)\Quest\Active Administrator\Workstation Logon Audit Agent:- AAEventDefinitions.xml
- AAWkstnSvc.exe
- SLAgentSvc.log
The following reg key should also exist:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Quest Software\Active Administrator\SettingsThe values under this key should be:- AFSPort - 15601
- AFSServer - AFS Server name
- EnableWorkstationAuditAgent - 1
In the AA console use the User Logon Activity Screen under Security & Delegation to confirm there are known logon events for that machine. You can also use the User Logon Activity report found under Auditing & Alerting | Audit Reports.