Define or modify auditing policy settings for an event category

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

To define or modify auditing policy settings for an event category

  • For your local computer

  • For only domain controllers, when you are on a domain controller or on a workstation that hasWindows Server 2003Administration Tools Pack installed

  • For a domain or organizational unit, when you are on a domain controller or on a workstation that has Administration Tools Pack installed

  • For a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain

For your local computer

  1. Open Local Security Settings.

  2. In the console tree, click Audit Policy.

    Where?

    • Security Settings/Local Policies/Audit Policy
  3. In the details pane, double-click an event category that you want to change the auditing policy settings for.

  4. Do one or both of the following, and then click OK.

    • To audit successful attempts, select the Success check box.

    • To audit unsuccessful attempts, select the Failure check box.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open Local Security Policy, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.

For only domain controllers, when you are on a domain controller or on a workstation that has Windows Server 2003 Administration Tools Pack installed

  1. Open Domain Controller Security Policy.

  2. In the console tree, click Audit Policy.

    Where?

    • Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy
  3. In the details pane, double-click an event category that you want to change the auditing policy settings for.

  4. If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.

  5. Do one or both of the following, and then click OK.

    • To audit successful attempts, select the Success check box.

    • To audit unsuccessful attempts, select the Failure check box.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Domain Controller Security Policy, click Start, click Control Panel, double-click Administrative Tools, and then double-click Domain Controller Security Policy.

For a domain or organizational unit, when you are on a domain controller or on a workstation that has Administration Tools Pack installed

  1. Open Active Directory Users and Computers.

  2. In the console tree, right-click the domain or organizational unit for which you want to set Group Policy.

  3. Click Properties, and then click the Group Policy tab.

  4. Click Edit to open the Group Policy object (GPO) that you want to edit. You can also click New to create a new GPO, and then click Edit.

  5. In the console tree, click Audit Policy.

    Where?

    • Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy
  6. In the details pane, double-click an event category that you want to change the auditing policy settings for.

  7. If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.

  8. Do one or both of the following, and then click OK.

    • To audit successful attempts, select the Success check box.

    • To audit unsuccessful attempts, select the Failure check box.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

For a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain

  1. Open Microsoft Management Console (MMC).

  2. In the File menu, click Add/Remove Snap-in, and then click Add.

  3. Click Group Policy Object Editor, and then click Add.

  4. On the Select Group Policy Object page in the Group Policy Wizard, click Browse.

  5. In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit--or create a new one, click OK, and then click Finish.

  6. Click Close, and then click OK.

  7. In the console tree, click Audit Policy.

    Where?

    • Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy
  8. In the details pane, double-click an event category that you want to change the auditing policy settings for.

  9. If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.

  10. Do one or both of the following, and then click OK.

    • To audit successful attempts, select the Success check box.

    • To audit unsuccessful attempts, select the Failure check box.

    Notes

    • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

    • To open Microsoft Management Console, click Start, click Run, type mmc, and then click OK.

Notes

  • To audit object accesses, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object. For information about how to enable auditing on an object, see "Apply or modify auditing policy settings for a local file or folder" or "Apply or modify auditing policy settings for an object using Group Policy" in Related Topics.

  • After your audit policy is configured, events will be recorded in the security log. Open the security log to view these events. For information about the security log, see "Use the security log" in Related Topics.

  • The default auditing policy setting for domain controllers is No Auditing. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting.

See Also

Concepts

Auditing Policy
Auditing Security Events
Auditing overview
Apply or modify auditing policy settings for a local file or folder
Apply or modify auditing policy settings for an object using Group Policy
Use the Security Log