ARCHIVED: In Windows, what is auditing and how do I use it?
In Windows 7, Vista, and XP, auditing allows an administrator or anyone with administrative rights to track and record the activities of users, groups, and processes. It is primarily used to diagnose performance problems and security risks, and for expansion planning.
Auditing is usually enabled by default in Windows. To change the auditing options:
- From the menu, select either , or and then .
- In Windows 7, first select . In all versions of Windows, open , and then or .
- In the
Local Security Settings
window, click the arrow or (plus sign) next to , and then click .
You will then see the nine types of auditing you can do in Windows:
- Account Logon Events: Tracks logins, logouts, and network connections
- Account Management: Tracks changes to accounts
- Directory Service Access: Tracks access to the Active Directory services
- Logon Events: Tracks logins, logouts, and network connections
- Object Access: Tracks access to files, directories, and other NTFS objects (including printers; in Windows, everything is considered an object)
- Policy Change: Tracks changes to user rights, audit policies, and trusts
- Privilege Use: Tracks changes to user privileges
- Process Tracking: Tracks program activation and termination, and other object or process activity
- System Events: Tracks server shutdowns and restarts, and logs events affecting system policy
To enable Object Access auditing:
- Right-click an object (e.g., a file, directory, or printer), and select .
- Click the tab.
- In Windows 7, click
Different events will be available depending on the type of object selected. Auditing is available only for NTFS objects; FAT does not allow for object auditing.
, and then click the
tab. In Vista or XP, click .
This is document akoq in the Knowledge Base.
Last modified on 2018-01-18 13:40:57.