Auditing Windows Server 2008

Auditing allows IT administrators to keep track of activity on Server 2008 and Active Directory environment. Since auditing cause the event log to fill out very quickly, auditing is disabled by default. IT administrators should enable audit policies as needed since too many audit logs make it hard to review them. Audit polices can be configured in Group Policy Management Console under “Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy”. See screenshot. Auditing events can be viewed from Event Viewer.
Type of Audit Polices on Server 2008

Audit account logon events
This policy logs events when user attempts to logon to a system.

Audit account management
This policy logs events when an account is changed.

Audit directory service access
This policy logs events when user attemps to access an Active Directory object.

Audit logon events
This policy logs logon events over the network or by service accounts.

Audit object access
This policy logs events when user attempts to access an object, such as file, shared folder or printer.

Audit policy change
This policy logs events when user attempts to change a policy, such as audit polices.

Audit privilege use
This policy logs events when a user attempts to exercise their privilege, such as changing the date or granting another use an admin privilege.

Audit process tracking
This policy logs events when user executes a process, application or a program when accessing the computer.

Audit system events
This policy logs system specific events such as startup and shutdown.

Join Orkut