Enabling audit via GPO
To configure audit settings on all domain clients:
- Click Start > Administrative Tools > Group Policy Management.
- Expand Group Policy Management > Forest > Domains > <Domain name> > Group Policy Objects.
- Right-click Default Domain Policy and select Edit.
- Expand Computer Configuration > Policies > Windows Settings > Security Settings > Audit Policy.
- From the right panel, right-click Audit system eventsGenerates events when important system events happen such as user restarts or shuts down the target computer or when an event occurs that affects the security log. For more information, refer to http://technet.microsoft.com/en-us/library/cc782518(WS.10).aspx.
- From Audit system events Properties, check Define these policy settings and select Success and Failure. Click OK.
- Repeat step 6 for the following policies:
- Audit process trackingGenerates events which track actions such as programs which are launched, closed, as well as other indirect object access information which contain important security information. For more information, refer to http://technet.microsoft.com/en-us/library/cc775520(WS.10).aspx
- Audit object access
- Audit account managementGenerates events when account management operations are done such as create/delete a user account or group, enable/disable a user account and set/change a user password. For more information, refer to http://technet.microsoft.com/en-us/library/cc737542(WS.10).aspx
- Click File > Save to save the management console. The group policy comes into effect the next time each machine is restarted.