Define or Modify Auditing Policy Settings for an Event Category
Applies To: Windows Server 2008
The auditing settings that you choose for the event categories define your auditing policy. On member servers and workstations that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. For more information and a list of event categories, see Audit Policies.
Defining or modifying auditing policy settings for an event category
For your local computer
For a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain
Local Administrator is the minimum group membership required to complete this procedure.
To define or modify auditing policy settings for an event category for your local computer
Open the Local Group Policy Editor, and select Local Computer.
In the console tree, click Audit Policy.
Where?
- Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy
In the results pane, double-click an event category that you want to change the auditing policy settings for.
Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.
Additional considerations
- To open the Local Group Policy Editor, open Microsoft Management Console (MMC). In the File menu, click Add/Remove Snap-in, select Local Group Policy Object Editor from the list of snap-ins, and then click Add. From the Group Policy Wizard, keep Local Computer in the Group Policy Object box, and then click Finish.
Domain Admins is the minimum group membership required to complete this procedure.
To define or modify auditing policy settings for an event category for a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain
If the Group Policy Management Console (GPMC) is not installed, open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.
After the Installation Results page shows that the installation of the GPMC was successful, click Close.
Click Start, point to Administrative Tools, and then click Group Policy Management.
In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
Right-click the Default Domain Policy GPO, and then click Edit.
In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Audit Policy.
In the results pane, double-click an event category that you want to change the auditing policy settings for.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.
Additional considerations
To open the Microsoft Management Console through the Windows interface, click Start, click in the Start Search text box, type mmc, and then press ENTER.
To audit object access, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object.
After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view these events.
The default auditing policy setting for domain controllers is No Auditing. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting.