Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

In Windows, what is auditing and how do I use it?

In Windows 7, Vista, and XP, auditing allows an administrator or anyone with administrative rights to track and record the activities of users, groups, and processes. It is primarily used to diagnose performance problems and security risks, and for expansion planning.

Note: At Indiana University, the University Information Security Office (UISO) recommends that you normally refrain from running your Windows computer as an administrator. For more, see What is the principle of least privilege?

Auditing is usually enabled by default in Windows. To change the auditing options:

  1. From the Start menu, select either Control Panel, or Settings and then Control Panel.

  2. In Windows 7, first select System and Security. In all versions of Windows, open Administrative Tools, and then Local Security Policy or Local Security Settings.

  3. In the Local Security Settings window, click the arrow or + (plus sign) next to Local Policies, and then click Audit Policy.

You will then see the nine types of auditing you can do in Windows:

  • Account Logon Events: Tracks logins, logouts, and network connections

  • Account Management: Tracks changes to accounts

  • Directory Service Access: Tracks access to the Active Directory services

  • Logon Events: Tracks logins, logouts, and network connections

  • Object Access: Tracks access to files, directories, and other NTFS objects (including printers; in Windows, everything is considered an object)

  • Policy Change: Tracks changes to user rights, audit policies, and trusts

  • Privilege Use: Tracks changes to user privileges

  • Process Tracking: Tracks program activation and termination, and other object or process activity

  • System Events: Tracks server shutdowns and restarts, and logs events affecting system policy

To enable Object Access auditing:

  1. Right-click an object (e.g., a file, directory, or printer), and select Properties.

  2. Click the Security tab.

  3. In Windows 7, click Advanced, and then click the Auditing tab. In Vista or XP, click Auditing.

    Different events will be available depending on the type of object selected. Auditing is available only for NTFS objects; FAT does not allow for object auditing.

This is document akoq in domain all.
Last modified on March 31, 2010.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.