"Audit account logon events" and "Audit logon events", I need someone to clarify the differences between these two audit types, I am very confused! I have traditionally only used "Audit logon events" to track success/failure logon attempts from a client to the domain. The more I read the descriptions for these events the more confused I get. Can you give me examples of use, mainly for "Audit account logon events"? Here are the descroptions from 2003 help. --------------- Audit account logon eventsDescription: This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated. If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails. To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes. If success auditing for account logon events is enabled on a domain controller, an entry is logged for each user who is validated against that domain controller, even though the user is actually logging on to a workstation that is joined to the domain. Default: Success. --------------- Audit logon eventsDescription: This security setting determines whether to audit each instance of a user logging on to or logging off from a computer. Account logon events are generated on domain controllers for domain account activity and on local computers for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more information about account logon events, see Audit account logon events. If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails. To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes. Default: Success. Thanks Super Play

Account logon events are only registered on the domain controller while logon events are registered on each computer. Account Logon events will register the logon events of other servers that have a shares set up for clients to connect to. One is for the domain controller, while the other is for the client. The domain controller does log both types though.