Creating Audit Policies In Windows Server 2003 Part III

The process of enabling auditing is similar for domain controllers and non-domain controllers. The biggest difference is that you use Active Directory Users and Computers on domain controllers and the local security policy on non-domain controllers.

To set up an audit policy for your domain controllers:

1. Open the Active Directory Users And Computers console.
2. Right-click Domain Controllers and select the Properties.
3. Click the Group Policy tab.
4. Select the group policy that you want to audit and click Edit. Windows will load the Group Policy console.
5. Navigate through the group policy console to Computer Configuration Windows Settings Security Settings Local Policies Audit Policy.

To set up auditing on a non-domain controllers:

1. Open the Control Panel.
2. Double click Administrative Tools.
3. Double click Local Security Policy.
4. Expand Local Policies and highlight Audit Policy.

From this point, the technique is the same whether you’re on a domain controller or not.

Let’s look at an example. To audit a logon failure, right-click Audit Logon Events and select the Properties from the resulting context menu. When you do, you’ll see a dialog box that will allow you to audit the events. The dialog box will vary slightly depending on whether or not you’re auditing a domain controller.

Once you’ve set up the audit policy, you must apply it. To do so, you must either type a command at the command prompt, reboot your server, or wait until the next propagation cycle, which is usually every eight hours. If you decide that typing the command is the easiest method, open a command prompt window, type

GPUPDATE /target:computer and press Enter.