Windows Server Advanced Auditing Policies

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows Server and Active Directory environments, security auditing is the features and services that log and review events for specified security-related activities.


Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.


Audit policies are configured through Group Policy. You can configure local policies, but in most Windows Server Active Directory environments, auditing is configured through application of policies at the Domain, Site or Organizational Unit Level.

The basic security audit policy settings in Security Settings\Local Policies\Audit Policy and the advanced security audit policy settings in Security Settings\Advanced Audit Policy Configuration\System Audit Policies appear to overlap, but they're recorded and applied differently.


There are nine basic audit policy settings under Security Settings\Local Policies\Audit Policy and settings under Advanced Audit Policy Configuration. The settings available in Security Settings\Advanced Audit Policy Configuration address similar issues as the nine basic settings in Local Policies\Audit Policy, but they allow administrators to be more selective in the number and types of events to audit. Instead of the nine basic audit policy settings, there are 58 different audit policy settings available through advanced audit policies. Advanced audit policies allow you to be far more specific in what you are auditing than the basic audit policies can.


To help you come to terms with all these different policies, we've created a set of short videos, 5-10 minutes in length, that go through each of the advanced auditing policies categories, explain the different policies and the interesting event log entries the policies are likely to generate. The videos are as follows:

Introduction to Windows Server Advanced Security Auditing:
Account Logon policies:

Account Management policies:

Detailed Tracking policies:

DS Access policies:

Logon/Logoff policies:

Object Access policies:

Policy Change policies:
Privilege Use policies:

System policies:

Global Object Access Auditing policies:


Understanding and applying audit policies is critical to making sure that the activity you want tracked on the computers you manage is actually recorded in the event log. Hopefully this set of videos, broken down into snack sized chunks, will allow you to review what these policies can do and will assist you to be more deliberative in how you audit activity in the computers that you manage.


You can also consult detailed information about advanced audit policies at the following link on Microsoft Learn:


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.