How to check if auditing is switched on & how to switch it on

On Windows 2000/XP/.NET machines:

• Start > Settings > Control Panel > Administrative Tools > Local Security Policy
• Security Settings > Local Policies > Audit Policy

• Here, you can see the auditing policies which are enabled/disabled for your machine.
• Enable/Disable the policy settings you require.
  

The auditing policies you set from this dialog will affect only your local computer. More information on individual auditing policies is available below.

Note: Domain security policies will override the local security policies of a machine. It is important to keep an eye on the "Effective Setting" column since it indicates which are the effective auditing policies that are enabled/disabled on your machine. E.g., in the screenshot above, the auditing policy "Audit privilege use" is disabled on my local security policy column. However the domain policy is overriding my local security policy and forcing it to be enabled on my computer for both success and failure privilege use related events.

On Windows NT machines:

To be able to enable auditing, you need to be logged in as an administrative user (one in the Administrators group). To enable auditing:

• Start > Programs >Administrative Tools > User Manager.
• From the User Manager Policies menu, select Audit. This brings up the Audit Policy dialog.
  

This brings up the Audit Policy dialog.

• Enable "Audit These Events" option and enable these audit events.
  
• Select the auditing policies you want to activate.
  
• Select OK to accept the Audit Policy.

Now all corresponding events will be written to the event log. The new Audit Policy settings will remain in effect until a user in the Administrators group changes them.
More information on individual auditing policies is available below.

Auditing policies information

There are nine security categories which can be configured to generate events depending upon your auditing requirements:

1. Audit account logon events – this category will generate success or failure events whenever a domain controller receives a logon request.

2. Audit account management - this category will generate a success or failure events whenever a user account or group is created, renamed, changed or deleted. This includes the creation of events when passwords are changed, and user accounts are enabled or disabled.

3. Audit Directory Service Access - this category will generate a success or failure event whenever an Active Directory object is accessed/changed. This category will generate events in another event log which is only present on Windows 2000 Domain Controllers.

4. Audit Logon events – This category is separate from the "Audit Account logon events". This category will generate a success or failure event when a user logs in or out of the system. Events are also generated when a user connects or disconnects from a system via either an interactive type of logon, or via a network type of logon.

5. Audit object access - This category will generate a success or failure event when a user-specified object - file, directory, registry key, printer - is accessed or changed.

6. Audit Policy Change - This category will generate a success or failure event when a user makes high-level changes to the security policies. These changes may include anything from changing user rights and privileges to changing audit policies.

7. Audit Privilege Use - This category will generate a success or failure event whenever a user makes use of certain administrative privileges which you may have assigned to that user.

8. Audit Process Tracking - This category will generate a success or failure event whenever a process is launched, a handle to an object is duplicated, objects are accessed indirectly and also whenever a process exits.

9. Audit System Events - This category will generate a success or failure event whenever an event which effects the entire system occurs. Such events include having the system shut down or restarted. A system event will also be generated when the security log fills up.