Enable Audit Policy manually on clients
To configure audit settings on machines running Microsoft® Windows® Vista or later:
- Click Start > Run and key in secpol.msc. Press Enter.
- From the Security Settings node, expand Local Policies > Audit Policy.
- From the right panel, double-click Audit object access.
- From Audit object access Properties, select Success and Failure. Click OK.
- From the right pane, double-click Audit Process tracking.
- From Audit process trackingGenerates events which track actions such as programs which are launched, closed, as well as other indirect object access information which contain important security information. For more information, refer to http://technet.microsoft.com/en-us/library/cc775520(WS.10).aspx Properties, select Success and Failure. Click OK.
- From the right panel, double-click Audit account managementGenerates events when account management operations are done such as create/delete a user account or group, enable/disable a user account and set/change a user password. For more information, refer to http://technet.microsoft.com/en-us/library/cc737542(WS.10).aspx.
- From Audit account management Properties, select Success and Failure. Click OK.
- From the right panel, double-click Audit system eventsGenerates events when important system events happen such as user restarts or shuts down the target computer or when an event occurs that affects the security log. For more information, refer to http://technet.microsoft.com/en-us/library/cc782518(WS.10).aspx.
- From Audit system events Properties, select Success and Failure. Click OK.
- Close the local Security Policy window.