Applies To: Windows Server 2008
Before you implement auditing, you must decide on an auditing policy. An auditing policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy, one that suits the security needs of your organization.
The event categories that you can choose to audit are:
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server or workstation). Once you have enabled the object access category, you can specify what types of access you would like to audit for each group or user.
To enable auditing of local objects, you must be logged on as a member of the Built-in Administrators group.