Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

In Windows 2000, XP, and Vista, what is auditing and how do I use it?

In Windows 2000, XP, and Vista, auditing allows an administrator or anyone with administrative rights to track and record the activities of users, groups, and processes. It is primarily used to diagnose performance problems and security risks, and for expansion planning.

Note: At Indiana University, the University Information Security Office (UISO) recommends that you normally refrain from running your Windows computer as an administrator. For more, see What is the principle of least privilege?

Auditing in general is enabled by default in Windows 2000, XP, and Vista. To change the auditing options, follow the steps below:

  1. From the Start menu, select either Control Panel, or Settings and then Control Panel.

  2. In the Control Panel, select Administrative Tools and then Local Security Policy or Local Security Settings.

  3. In the Local Security Settings window, click the + next to Local Policies and then click Audit Policy.

This shows you the nine types of auditing you can do in Windows 2000, XP, and Vista. Following is a description of each type:

  • Account Logon Events: Tracks logins, logouts, and network connections

  • Account Management: Tracks changes to accounts

  • Directory Service Access: Tracks access to the Active Directory services

  • Logon Events: Tracks logins, logouts, and network connections

  • Object Access: Tracks access to files, directories, and other NTFS objects (including printers, because everything in Windows 2000, XP, and Vista is considered an object)

  • Policy Change: Tracks changes to user rights, audit policies, and trusts

  • Privilege Use: Tracks changes to user privileges

  • Process Tracking: Tracks program activation and termination, and other object or process activity

  • System Events: Tracks server shutdowns and restarts, and logs events affecting system policy

To enable Object Access auditing, you need to select the objects being audited. To do this, right-click an object (e.g., a file, directory, or printer). Select Properties, and then select the Security tab. Click the Auditing button. Different events will be available depending on the type of object selected. Auditing is available only for NTFS objects; FAT does not allow for object auditing.

This is document akoq in domain all.
Last modified on May 13, 2009.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.