Before you implement auditing, you must decide on an auditing policy. An auditing policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.

The event categories that you can choose to audit are:

  • Audit account logon events

  • Audit account management

  • Audit directory service access

  • Audit logon events

  • Audit object access

  • Audit policy change

  • Audit privilege use

  • Audit process tracking

  • Audit system events

If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server or workstation). Once you have enabled the object access category, you can specify the types of access you want to audit for each group or user.

To enable auditing of local objects, you must be logged on as a member of the built-in Administrators group.

Additional references