Apply or modify auditing policy settings for an object using Group Policy

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

To apply or modify auditing policy settings for an object using Group Policy

  1. Open Microsoft Management Console (MMC).

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Click Group Policy Object Editor, and then click Add.

  4. On the Select Group Policy Object page in the Group Policy Wizard, click Browse.

  5. In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit--or create a new one, click OK, and then click Finish.

  6. Click Close, and then click OK.

  7. Do one or more of the following:

    To audit Do this

    System services

    In the console tree, click System Services.

    Where?

    • Computer Configuration/Windows Settings/Security Settings/System Services

    In the details pane, right-click the service that you want to apply or modify auditing policy settings for, and then click Properties.

    If it is not already selected, select the Define this policy setting check box, and then select the appropriate setting.

    Click Edit security.

    Registry keys

    In the console tree, click Registry.

    Where?

    • Computer Configuration/Windows Settings/Security Settings/Registry

    If you want to add a registry key to this GPO to audit, right-click Registry, and then click Add Key. Browse to the key that you want, and then click OK.

    If you want to apply or modify auditing settings on a registry key that has already been added to this GPO, in the details pane, right-click the registry key, click Properties, and then click Edit Security.

    Files or folders

    In the console tree, click File System.

    Where?

    • Computer Configuration/Windows Settings/Security Settings/File System

    If you want to add a file or folder to this GPO to audit, right-click File System, and then click Add File. Browse to the file that you want, or make a new folder, and then click OK.

    If you want to apply or modify auditing settings on a file or folder that has already been added to this GPO, in the details pane, right-click the file or folder, click Properties, and then click Edit Security.

  8. Click Advanced, and then click the Auditing tab.

  9. Do one of the following:

    • To set up auditing for a new user or group, click Add. In Name, type the name of the user or group that you want, and then click OK.

    • To view or change auditing for an existing group or user, click the name that you want, and then click Edit.

    • To remove auditing for an existing group or user, click the name that you want, click Remove, click OK, and then skip the rest of this procedure.

  10. Select the appropriate entry in the Apply onto list.

  11. In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes:

    • To audit successful events, select the Successful check box.

    • To stop auditing successful events, clear the Successful check box.

    • To audit unsuccessful events, select the Failed check box.

    • To stop auditing unsuccessful events, clear the Failed check box.

    • To stop auditing all events, click Clear All.

  12. If you want to prevent files and subfolders in the tree from inheriting these audit entries, select the Apply these auditing entries to objects and/or containers within this container only check box.

Important

  • Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited. For more information about how to enable object access auditing, see "Define or modify auditing policy settings for an event category" in Related Topics.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Microsoft Management Console, click Start, click Run, type mmc, and then click OK.

  • For more information on selecting where to apply auditing entries, see Related Topics.

  • You can set up file and folder auditing only on NTFS drives.

  • If you see the following:

    • In the Auditing Entry for File or Folder dialog box, in the Access box, the check boxes are unavailable ...

    • In the Advanced Security Settings for File or Folder dialog box, the Remove button is unavailable ...

    auditing is inherited from the parent folder.

  • After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes.

  • Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.

See Also

Concepts

Auditing Security Events
View the security log
Define or modify auditing policy settings for an event category
Apply or modify auditing policy settings for a local file or folder
Apply or modify auditing policy settings for an object using Group Policy
Selecting where to apply auditing entries