By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On member servers and workstations that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. For more information and a list of event categories, see Audit Policies.
Local Administrators is the minimum group membership required to complete this procedure.
To define or modify auditing policy settings for an event category for your local computer |
Open the Local Security Policy snap-in, and select Local Policies.
In the console tree, click Audit Policy.
Where?
-
Security Settings/Local Policies/Audit Policy
-
Security Settings/Local Policies/Audit Policy
In the results pane, double-click an event category that you want to change the auditing policy settings for.
Do one or both of the following, and then click OK.
-
To audit successful attempts, select the Success check box.
-
To audit unsuccessful attempts, select the Failure check box.
-
To audit successful attempts, select the Success check box.
Additional considerations
-
To open the Local Security Policy snap-in, click Start, point to Administrative Tools, and then click Local Security Policy.
Domain Admins is the minimum group membership required to complete this procedure.
To define or modify auditing policy settings for an event category for a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain |
If the Group Policy Management Console (GPMC) is not installed, open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.
After the Installation Results page shows that the installation of the GPMC was successful, click Close.
Click Start, point to Administrative Tools, and then click Group Policy Management.
In the console tree, double-click Group Policy objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
Right-click the Default Domain Policy GPO, and then click Edit.
In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Audit Policy.
In the results pane, double-click an event category that you want to change the auditing policy settings for.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
Do one or both of the following, and then click OK.
-
To audit successful attempts, select the Success check box.
-
To audit unsuccessful attempts, select the Failure check box.
-
To audit successful attempts, select the Success check box.
Additional considerations
-
To open the Microsoft Management Console through the Windows interface, click Start, click in the Start Search text box, type mmc, and then press ENTER.
-
To audit object access, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object.
-
After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view these events.
-
The default auditing policy setting for domain controllers is No Auditing. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting.
Additional references