Enabling audit via GPO

To configure audit settings on all domain clients:

  1. Click Start > Administrative Tools > Group Policy Management.
  2. Expand Group Policy Management > Forest > Domains > <Domain name> > Group Policy Objects.
  3. Right-click Default Domain Policy and select Edit.
  4. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Audit Policy.

Group Policy Management Editor

  1. From the right panel, right-click Audit system eventsGenerates events when important system events happen such as user restarts or shuts down the target computer or when an event occurs that affects the security log. For more information, refer to http://technet.microsoft.com/en-us/library/cc782518(WS.10).aspx.
  2. From Audit system events Properties, check Define these policy settings and select Success and Failure. Click OK.
  3. Repeat step 6 for the following policies:
  1. Click File > Save to save the management console. The group policy comes into effect the next time each machine is restarted.