Under normal circumstances, administrators prefer to audit servers only, leaving workstations alone. However, there may be cases when auditing on workstations is quite reasonable.
In most situations the workstations are exempted from auditing, since there are many workstations but few servers; the workstations are often volatile, they could be rebuilt from an image and thus it's often easier to restore the OS image than to handle and investigate whatever failures happened that prevent the system from functioning.
If security logs are kept, however, on workstations as well, it becomes much more easier to keep tracks of all the network activity and pinpoint possible unauthorized access cases, along with credentials leaks. Studying the logon/logoff attempts records could be a significant time saver when network activity should be tracked and monitored.
Since auditing doesn't impose much load on workstations, most important types of events (logon and logoff attempts, shared resources access etc) should be logged even on workstations.
In most situations the workstations are exempted from auditing, since there are many workstations but few servers; the workstations are often volatile, they could be rebuilt from an image and thus it's often easier to restore the OS image than to handle and investigate whatever failures happened that prevent the system from functioning.
If security logs are kept, however, on workstations as well, it becomes much more easier to keep tracks of all the network activity and pinpoint possible unauthorized access cases, along with credentials leaks. Studying the logon/logoff attempts records could be a significant time saver when network activity should be tracked and monitored.
Since auditing doesn't impose much load on workstations, most important types of events (logon and logoff attempts, shared resources access etc) should be logged even on workstations.
