If you take the security settings in a GPO, and look closer to the audit policy. You will see 2 logon events. Audit account logon event and audit logon event.
What are the differences and why did Microsoft give them such a confusing name?
I was looking for some resources to answer this question, when google show me this page. http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx a blog from the windows auditing team.
So here is there explanation for the bad naming. The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, it's about credential validation.
And these are the differences.
Audit Logon/Logoff generates events for the creation and destruction of logon sessions. These events occur on the machine which was accessed. In the case of an interactive logon, these would be generated on the machine which was logged on to. In the case of network logon, for example, accessing a share, these events would be generated on the machine hosting the resource that was accessed.
Audit Account Logon generates events for credential validation. These events occur on the machine which is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local machine is authoritative. Since domain accounts are used much more frequently in enterprise environments than local accounts, most of the Account Logon events in a domain environment occur on the domain controllers which are authoritative for the domain accounts. However, these events can occur on any machine, and may occur in conjunction with or on separate machines from logon/logoff events.
If you want to know more about auditing account logon events and logon events. This blog(http://blogs.msdn.com/ericfitz/default.aspx ) is a good place to start.