Was wondering if someone could address some of the advantages of Auditing unsuccessful logins etc. at the workstation level as opposed to just auditing at the Server, Domain Controllers, etc. level? I know bandwidth could become an issue when auditing worstations becuase of the sheer number of them. I'm more concerned with what "events" could I detect at the Workstation level that I couldn't at the Server level? Michael
