Enable User Logon Reporting

This policy simply directs Third Wall to store appropriate user-only Logon and Logoff events on the ConnectWise Automate database, where it will be available for the Third Wall Logon Report and Dataviews. Data will be stored for 60 days only. To save it longer, follow these procedures: Open the Dashboard Click Config -> Configuration -> Properties Add a new property: Name = ThirdWallNoLogonPurge Value = True

This policy requires that the policy Log All Logon and Logoff Events be enabled.

There is an option to include Type 3 (Network) Logon Failures. If you suspect that you have excessive Network Logon Failures in your environment, select this option to track them down. All logon failures, including these, are visible only in the Third Wall User Logon Dataview.

Target machines must be rebooted after enabling this policy for data to be captured for this policy and the associated reports / dataviews.

The ‘Enable User Logon Reporting’ has a safety feature to prevent overloading your Automate server with excessive entries. These entries may be caused by a multitude of factors including domain misconfiguration, virus infection or a verbose, non-standard service. Should this monitor detect 20 or more entries within a 300 second period, two things will occur: The computer will be immediately excepted from policy and you will receive a ticket, alerting you of the automatic exception. To resolve this condition, you simply open the computer screen and remove the exception.

This behavior has an override. If you anticipate 20 or more entries within a 300 second period on a given computer, use the registry editor and make the following modification. Add 'HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Plugins\ThirdWall\store\LogonWatchSafetyOverride’ as a REG_SZ with a value equal to the newly desired threshold. The Third Wall Logon Reporting Policy will now alert only if the number value assigned to that key is exceeded.