In Windows 2000 and XP, what is auditing and how do I use it?

Posted On 2005-11-1 by FortyPoundHead
Keywords: Windows 2000 XP Auditing
Tags:  Windows 2000
Views: 1566

In Windows 2000 and XP, auditing allows you to
track and record the activities of users, groups, and processes. It
is primarily used to diagnose performance problems and security risks,
and for expansion planning.

Enabling auditing

Auditing in general is enabled by default in Windows 2000 and XP. To
change the auditing options, follow the steps below:

  1. From the Start menu, select Settings and then
    Control Panel. In the Control Panel, select
    Administrative Tools and then Local Security

    Note: In Windows XP, the default desktop
    view and Start menu are quite different than they are in the Windows
    Classic View (e.g., in Windows 2000). Therefore, navigating
    to certain items may be different in XP; for example, the path from
    the Start menu to the Control Panel in the default XP view is simply
    Start, then Control Panel, whereas in the Classic
    View it is Start, then Settings, then Control
    . In the interest of broad applicability, most
    instructions in the Knowledge Base assume that you are using the
    Classic View. There are several steps you can take to switch from the
    Windows XP default view to the Windows Classic View. For more
    information, see the Knowledge Base document In Windows XP, how do I switch to the Windows Classic View, Classic theme, or Classic Control Panel?

  2. In the Local Security Settings window, click the
    + next to Local Policies and then click Audit

This shows you the nine types of auditing you can do in Windows 2000
and XP. A description of each type is listed below:

  • Account Logon Events: Tracks logins, logouts, and
    network connections

  • Account Management: Tracks changes to accounts

  • Directory Service Access: Tracks access to the
    Active Directory services

  • Logon Events: Tracks logins, logouts, and network

  • Object Access: Tracks access to files,
    directories, and other NTFS objects (including printers,
    because everything in Windows 2000 and XP is considered an object)

  • Policy Change: Tracks changes to user rights,
    audit policies, and trusts

  • Privilege Use: Tracks changes to user

  • Process Tracking: Tracks program activation and
    termination, and other object or process activity

  • System Events: Tracks server
    shutdowns and restarts, and logs events affecting system policy

To enable Object Access auditing, you need to select the objects being
audited. To do this, right-click an object (e.g., a file, directory,
or printer). Select Properties, and then select the
Security tab. Click the Auditing button. Different
events will be available depending on the type of object
selected. Auditing is available only for NTFS objects; FAT does not
allow for object auditing.

About the Author

has posted a total of 1974 articles.

Comments On This Post

No comments on this post yet!

Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.

Your IP address is:

Before you can post, you need to prove you are human. If you log in, this test goes away.

Code Links