Name
auditing
Synopsis
Tracking user and operating-system activities.
Description
Auditing records user and operating-system activities as events (audit entries) in the security log. A typical event records what action was performed, who performed it, whether the action succeeded or failed, what computer the action was initiated on, and so on. Auditing is generally performed for two purposes:
- Security
By auditing failures of activities such as logon attempts or attempts to access a restricted share on the network, administrators can detect when unauthorized access is being attempted.
- Resource usage
By auditing successful attempts to access shared folders, administrators can track patterns of usage for that resource to help determine upgrade and maintenance procedures.
Audit Policy
An audit policy is a type of security policy that specifies what kinds of user and system activities will be audited. Before you enable auditing on a computer, you must configure the audit policy. The following types of events can be audited for success or failure:
- Account logon events
A user is authenticated by the security database on the local machine (if part of a workgroup) or by Active Directory on a domain controller (if part of a domain).
- Account management
An administrator creates, deletes, or modifies a user or group, resets a password, or performs some similar action.
- Directory service access
A user attempts to access an object in Active Directory. (This requires further configuration; see Section later ...
Get Windows 2000 Administration in a Nutshell now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
