This document explains how to setup Auditing of Security Events in Windows XP. By default, this feature is disabled when Windows XP is installed. This example demonstrates Audit Policy using the "Local Security Policy" MMC snap-in. Machines that are members of an Active Directory domain can use this procedure or a similar procedure using Group Policy. Machines that are not members of an Active Directory Domain must use the following procedure.

To enable auditing of security events:

1.) Click on "Start" -> "Programs" -> "Administrative Tools" -> "Local Security Policy".

2.) Navigate to the "Audit Policy" folder, as shown in the figure.



3.) Double-click on the items in the right pane to enable auditing for "Successful" and/or "Failed" actions.

You can set auditing for the success or failure of the following:
  • Account logon events An Active Directory domain controller received a request to validate a username and password.

  • Account Management An administrator created, changed, deleted, disabled, enabled, or renamed a user or group.

  • Directory Service Access A user read, changed, added or deleted an object in the Active Directory database. You must also enable auditing on individual Directory objects (similar to auditing of file access).

  • Logon Events A user logged on or off from the console or network.

  • Object Access Enable Object Access auditing to audit access to files or printers. In addition, you must enable auditing on the individual file or printer.

  • Policy Change Audit changes to user rights, audit policies, and security policies.

  • Privilege Use A user used a "User Right". User rights are also assigned using the "Local Security Policy" MMC snap-in.

  • Privilege Use A user used a "User Right".

  • Process Tracking Used by programmers to debug software.

  • System Audit system events that relate to security such as security log full or system shutdown.








Close Window