Troubleshooting Tip: Checking why endpoints are showing multiple usernames in the FortiClient EMS endpoint pane

In the EMS endpoint pane, when selecting the dropdown list in an endpoint username, there may be other usernames listed.

It is possible that this particular machine has been logged into by these users without the knowledge of the EMS administrator.

Follow these steps to investigate:

• Check the local FortiESNAC.txt file.

1. In that particular machine, navigate to C:\Program Files\Fortinet\FortiClient\logs\trace, look for FortiESNAC.txt.
2. In the FortiESNAC.txt file, you can search for the keyword 'USER=', this username info is being sent to EMS.
3. Check the date and timestamp and validate if the user has indeed logged-in into the machine.

• Run Windows commands to check if there are other users logged-in into the same machine.
  
  

net user
query user

• Open Task Manager -> Users tab to see if there are multiple user sessions.
• Open Windows Event Viewer to check for user login activities.
  Start -> Event Viewer -> right click Security -> Filter current log -> enter event ID 4624 (which is for successful login) -> OK.
  See the attached example screenshot:

Note: It is not possible to manually delete a username entry in the EMS endpoint pane. The username list will only be removed once the endpoint record is deleted in the endpoint pane.