In Windows Vista and Windows Server 2008, audit policy is organized hierarchically. This is a significant enhancement to audit policy; previous versions of Windows had a flat audit policy with a much smaller degree of control over the resultant audit volume.

Prior to Windows Vista, each security event was mapped to one of nine audit policy categories. By enabling either success or failure auditing for an audit category, you enable all the audit events for that category. Figure 8-2 shows the organization of audit policy in pre-Windows Vista systems.

Figure 8-2. Pre-Windows Vista hierarchical audit policy organization.

In Windows ...