Summary: The Logon Reporting policy records logon failures in its audit. If the amount of failed logons exceeds four failures per minute (on average), the remote will except itself from the policy and issue an Alert. This is to prevent flooding the database with excessive, redundant entries.
Depending on the environment, many computers could be excepted. This article describes the method by which you can remove the exceptions in the fewest steps.
Be aware, if the condition which caused the frequent logon failures is not resolved, it is highly probable the remotes will simple reapply the exception. Before conducting this method, be sure to identify the cause of the multiple failures and correct that condition.
Process: Download the custom script. Then run a dataview to identify all current computer exceptions and filter so only exceptions from the Logon Reporting policy are shown. Select all the computers on the dataview and issue the custom script to them.
Steps:
- Download the TW - Remove Computer Exception from Logon Reporting from this link
- Unzip the file.
- Import the script into your system
- On the Control Panel, press System -> General -> Import -> XML Expansion. This will result in a file dialogue. Select the unzipped file, just downloaded.
- The new script is now installed and resides in a 'Third Wall' folder.
- Right-click the topmost 'Clients' entry in the Navigation Tree. Select Dataviews -> ThirdWallV2 -> Thirdwall Computer Exception List
- This will result in a new window, the selected dataview. The dataview shows all current exceptions to all current policies. Use the top of the screen to apply a filter to the 'Thirdwall Policy' column so only 'Enable User Logon Reporting' is shown.
- Be sure to check the counts on the dataview. It is possible there are more findings than what is shown. The Total number on the top-right of the screen shows the total number of computers found. Make sure that number is less than the number shown in the 'Page Size' field. This ensures all findings are on this screen. You may have to edit the 'Page Size' field to make this happen. Press <enter> after making the edit to set and refresh the screen.
- Select all computers. Right-click them and select Agents -> Scripts -> Third Wall -> TW - Remove Computer Exception from Logon Reporting. Finish the script initialization dialogue to completion.
- When the remote computer(s) run the script, their exception from the Logon Reporting policy will be removed and they will resume uploading their logon audits to the Automate server.