Auditing overview

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Auditing overview

Establishing audit policy is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach.

The most common types of events to be audited are:

  • Access to objects, such as files and folders.

  • Management of user accounts and group accounts.

  • Users logging on to and logging off from the system.

When you implement audit policy:

  • Specify the categories of events that you want to audit. Examples of event categories are user logon, user logoff, and account management. The event categories that you select constitute your audit policy. For more information about each event category, see Auditing Policy.

  • Set the size and behavior of the security log. You can view the security log with Event Viewer. For more information about the security log, see Viewing security logs.

  • If you want to audit directory service access or object access, determine which objects you want to monitor access of and what type of access you want to monitor. For example, if you want to audit any attempts by users to open a particular file, you can configure auditing policy settings in the object access event category so that both successful and failed attempts to read a file are recorded.

    For more information about how to set up object access auditing, see:

For more information about auditing, see Auditing Security Events.