Auditing records user and operating system activities as events (audit entries) in the Security log. A typical event records which action was performed, who performed it, whether the action succeeded or failed, which computer or user initiated the action, and so on. To view audit events, use the Event Viewer console in Administrative Tools.
Auditing is generally performed for either security or resource usage reasons. For example, by auditing failures of activities such as logon attempts or attempts to access a restricted share on the network, administrators can detect when unauthorized access is being attempted and thus protect the security of their systems. And by auditing successful attempts to access filesystem resources, administrators can track patterns of usage so they can determine when to upgrade their storage capacity.
An audit policy is a type of security policy that specifies which kinds of user and system activities are audited. Before you enable auditing on a computer, you must configure the audit policy. You can configure nine types of audit policy settings:
A user is authenticated by the security database on the local machine (if part of a workgroup) or by Active Directory on a domain controller (if part of a domain).
An administrator creates, deletes, or modifies a user or group, resets a password, or performs some similar action.
A user attempts to access an object ...