In Windows, auditing is the recording of system events and other system changes. When you enable auditing, the system automatically makes a record when events of interest occur. Auditing is enabled by configuring audit policies, either on a local system or through Group Policy. An audit policy is either enabled or disabled. When it is enabled, you must specify what type of events to log.

  • Audit Success to identify who has gained access or who was able to exercise a right or privilege.
  • Audit Failure to identify patterns of attempted access.

The following table describes the nine audit policies configurable through Group Policy.

Audit Category Trigger Event(s)
Account logon Account logon auditing tracks when a user account is used to authenticate to a computer. For account logon auditing, an audit event is generated on the system where the user account exists.
  • When a local user account is used, the local computer records the logon event.
  • When a domain user account is used, the domain controller records the logon event.

For example, when a user authenticates to a domain, an account logon event is recorded on the domain controller but not on the local computer. If a user logs on using a local computer account, an account logon event is recorded on the local computer.

Account management Account management auditing tracks changes to user accounts, including:
  • Create
  • Rename
  • Disable/enable
  • Delete
  • Change the password
Directory service access Directory service access auditing tracks changes to Active Directory objects. The audit directory service access policy is divided into four subcategories:
  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication

Note: In addition to enabling auditing in the audit policy, you must configure auditing on the specific objects you want to track.

Logon Logon auditing tracks logon or log off on the local system, or when a network connection is made to a system. For logon auditing, an audit event is recorded in the audit log of the local system, regardless of the type of user account used. For example, when a user logs on to a computer using a domain account, a logon event is recorded on the local workstation, while an account logon event is recorded on the domain controller.
Object access Object access auditing tracks access to files, folders, or printers. It can also be used to audit actions taken by a certificate authority or access to specific registry or IIS metabase settings. For file auditing to occur, the files must be on NTFS partitions.

Note: In addition to enabling auditing in the audit policy, you must configure auditing on the specific objects you want to track.

Policy change Policy change auditing tracks changes to user rights, trust relationships, IPsec and Kerberos policies, or audit policies.
Privilege use Privilege use auditing tracks the following actions:
  • A user exercises a user right.
  • An administrator takes ownership of an object.
Process tracking Process tracking auditing records actions taken by applications. Process tracking auditing is used mainly for program debugging and tracking.
System System events auditing tracks system shutdown, restart, or the starting of system services. It also tracks events that affect security or the security log.

Be aware of the following when configuring auditing:

  • With both Directory Service Access and Object Access auditing, configuring auditing requires two steps:
    1. Enable auditing in the local security policy or Group Policy.
    2. Configure auditing on the specific objects. For example, you might edit the System Access Control List (SACL) of the Active Directory object or the NTFS file or folder to identify the users or groups and the actions to track. For CA auditing, identify the specific CA actions to track in the CA properties.
  • New with Windows Server 2008, Directory Service Access auditing uses four subcategories. Audit Directory Service Access to record when changes occur to an object; audit Directory Service Changes to record the old and new values when a change is made to an object.
  • When you enable Directory Service Access auditing, auditing for all four subcategories is enabled. To enable auditing for individual categories, use the Auditpol /set /subcategory command. (Note: In Windows Server 2008 R2 and Windows 7, all auditing capabilities have been integrated with Group Policy.)
  • View audit entries in the Event Viewer Security log.
  • When using Directory Service access with directory service changes, when a change is made to an Active Directory object, the following event IDs are recorded.
    Event ID Event Action Description
    5136 Modify Logged when a successful modification is made to an attribute in the directory
    5137 Create Logged when a new object is created in the directory
    5138 Undelete Logged when an object is undeleted in the directory
    5139 Move Logged when an object is moved within the domain