Server Audits

By default, client computers do not report software applications stored on remote volumes. This avoids redundant reporting from multiple clients. With the standard KeyAccess client install, the client component only runs when a Windows user account is actively logged in. It tracks programs launched and quit by the logged in user. Whenever the KeyServer has a pending audit request, an incremental audit is initiated and uploaded. Since a typical server rarely has a Windows user account logged in, the KeyAccess client software may need to be scheduled to also periodically check for pending audit requests even when there is no user currently logged in.

Note: even if the KeyAccess client is scheduled to check for pending audit requests daily, it does not mean that an audit will be performed daily. KeyServer still manages the frequency of audits and typically there will be many days (e.g. 7 days, 30 days, or more) when no audit is requested.

Any KeyAccess version prior to 6.2 must be installed as a program (not as a service, which is the installer default behavior) on the server host in order to support the audit feature (note: KeyAccess must be 6.0.3.1 or better). This feature is only meant to be used for Windows Server computers that do not see frequent or ongoing Windows login sessions. As such, the following does not apply to normal desktop or portable computers.

Performing Periodic Audits (Windows Server)

First, create an account (or use an existing account) on the server that can access all of the volumes that you wish to audit. The "System" account typically has access only to the system drive, so this account does not qualify. You can use a Local account or a Domain account, so long as it has sufficient privileges and can be accessed automatically by the Windows' Scheduled Task manager. If you have multiple servers on which you wish to install KeyAccess, you could create a single domain account for use on all servers.

There are three methods you can use to configure the KeyAccess Client to check periodically for audit requests:

Method 1) Customize the client installer, then install on the Windows Server

Instructions for turning on the "-y" option ("create scheduled task for server audits") are included in the k2clientconfig.exe documentation. You can also customize the installer with the KeyServer DNS name etc. (or just enter the name at install time).

Note: after installing the standard KeyAccess client components, the customized installer will simply create a Windows scheduled task which by default is set to execute daily at 1:00 AM. This task can be edited using the Scheduled Tasks control panel, as described below.

Method 2) Use the "Scheduled Tasks" control panel to create and configure a periodic task

While logged in to the Windows Server as an administrator, run the standard client installer, ksp-client-i386.exe, and configure the client with the correct address to connect to the KeyServer as usual.

In the Windows Control Panel, open Scheduled Tasks, right-click in its window and choose New->Scheduled Task. Give the new task a name like "KeyAccess", and double click on it to see the properties. The screenshot shows the proper command path and working directory. Of special note is the "-auditonly" option in the command line (available in version 6.0.3.1 or better). This tells KeyAccess to launch (if necessary) and connect to KeyServer in order to check for any pending audit request ("audit asap" state in its computer record). Of course the account name described above must be entered in the "Run as:" section (replacing the value "SASSAFRAS\audit" shown in the screen shot).

This next screenshot shows that the task is to run every Monday at 1 AM. The scheduled time can be whatever you want. You might consider running the task once a day, even though audits will occur less frequently. This way, KeyServer will be able to spread out the audits of all of the servers so that they do not happen all at once. The task start time can be different on each server.

The last screenshot shows that the task will run for 1 hour and then will be shut down. This is an optional setting, because KeyAccess will automatically exit after the audit has completed. This time limit should be as long as seems reasonable, perhaps 1 or 2 hours depending on the size of the server. An hour or two is plenty of time, and perhaps much more than necessary, but there is no significant overhead. The "Idle Time" settings should not be checked.

Method 3) Use the "schtasks" utility to create and configure a periodic task

On servers running Windows Server 2003 or higher, you can use the schtasks command-line utility instead of the GUI to create the Scheduled Task. For example:

schtasks /create /sc daily /st 01:00:00 /ru SASSAFRAS\audit
		/tn KeyAccess /tr "C:\WINDOWS\keyacc32.exe -auditonly"

Again, you will use an account name different from the one given above. The schtasks program will prompt you for a password for the account.

As mentioned above, these instructions are for installing KeyAccess on servers that do not see direct user logons. It is possible to use this same method to run KeyAccess on any Windows Terminal Server in order to conduct audits. KeyAccess would also be used on such Window Terminal Servers to track program usage for users who are connecting remotely.