Logging local logon failures?

["Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>]

Good afternoon,

In a Windows/Active Directory environment how does one weigh the
following?
Do you log local logon failures to the event log on domain member PCs?
Do you avoid logging local logon failures and only care about logon
failures on domain controllers?

My concern is that a domain user will begin typing their passwords in
the username field of a logon box, hitting enter and thereby log the
password in the event viewer, followed by a successful logon by a
username after fixing their mistake.
So going through domain PC event logs will yield a good number of
complete and valid credentials.

Not logging logon failures on PCs will allow us to avoid this.
Are there downsides to this? Besides the "I like logs" argument.
Are there other, better options I am not aware of?

Thank you

Nick


This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.