XP auditing features allow you to audit events on the local
computer and record them in the Event Viewer security
log. Configuring auditing in Windows XP may require two steps.
The first is always configuring an Audit Policy in
Group Policy to specify which actions should be audited and
recorded. The second is specifying which objects, users, and
groups to audit. For example, if you want to audit all failed
attempts to access a certain NTFS file or folder, you must
set the Audit object access policy to ‘failure’
as shown in the screenshots below. You can start the Group
Policy console by running gpedit.msc.
XP offers the following audit policy:
account logon events
users logging on or logging off to another computer using
an account from this computer.
user account and group management.
access to objects in Active Directory. In addition to
enabling this audit policy, you need to configure the
specific objects you want to audit as well, just like
with the Audit object access policy.
users logging on or logging off to this computer.
access to files, folders, and printers.
changes to local group policy, including user rights assignment
and audit policy.
the use of user rights assignments
the actions of programs.
shut downs or restarts of the computer and events related
to the Security log.
On the properties dialog of an Audit policy, you can enable
success, failure or both.
must be logged on as an administrator or as a member of the
Administrators group to configure auditing. If you want non-administrators
to be able to configure auditing and view the security log,
you must grant them the Manage auditing and security log
right in Group Policy.
you enabled the audit policy Audit object access
from the example earlier, you must specify which files and
folders, or printers, to audit by using Windows Explorer.
On the Security tab of a file or folder’s Properties,
click the Advanced button. On the Auditing
tab of the Advanced Security Settings
dialog you can add the user or group whose actions you want
When you add a user or group, the Auditing Entry
dialog box opens, allowing you to select Successful,
Failed, or both for the actions you want to audit.
If you enable these settings on a folder or volume, they will
apply to subfolders and files as well, as shown below. Whether
successful or failed access attempts are actually audited
and logged depends on the setting of the audit policy.
you configured auditing correctly and any of these events
occur, they will be written to the Security log in
the Event Viewer. Successful attempts will show up
with a key icon and failed events will display a lock. You
can double-click on an audit log entry to display additional
details such as object names and locations.
prevent the security log from becoming full and overwriting
older entries you may need to reconfigure the Log Size
setting on the Security Properties (right-click on
Security under System Tools, Event Viewer
in Computer Management). By default, the maximum
log size is 512 KB and events older than 7 days are overwritten.
When the maximum log size is reached and there are no events
older than 7 days, new events will be discarded. Depending
on how you configured the audit policy and how much objects
and users you configured for auditing, you may have to increase
the log size and/or change the number of days. You can choose
to overwrite events as needed, or never overwrite events.
The latter would also cause new events to be discarded when
the maximum log size is reached. In a domain environment,
these settings can be controlled by using Group Policy.
you configure auditing on a large amount of clients, you should
archive the event logs periodically and gather them on a central
management console for example. Because checking the audit
logs can be a tedious and time-consuming job, you should carefully
plan the configuration of you audit policy. Especially try
to avoid logging successful events for every insignificant
action, as it will quickly fill up the security log.