Join Timothy Pintello for an in-depth discussion in this video Configuring an audit policy, part of Windows Server 2012: Create and Manage Group Policy.
- In order to configure an Audit Policy on a local computer, you need to use a local Group Policy object like we did previously. So, let's come down to our Start button. Right click the Start button, click Run and type "mmc" in again and click Enter. Again, we have our empty Management console, let's go ahead and add the Group Policy object to this empty console. Let's click File, Add/Remove Snap-In, click Group Policy Object, Add it, click Finish, and then click OK.
This now brings up our Local Computer Policy. Let's go ahead and open that up so we can see our two nodes in it. Before we go any further, let's go ahead and Save this console as "Console One" so we can use it in the future without having to re-create it every time. To save the console, we come up here to File, Save As, and then save under whatever name you want. In this case, I'll just go ahead and save it as "Console One". Save. Now let's go ahead and make this larger so we can see it.
And now, to create an Audit Policy, we have to go the Computer Configuration node. So, let's open up the Computer Configuration node. Under the Computer Configuration node, we have Software Policies, Windows Settings, and Administrative Templates. The Audit Policies are located under the Windows Settings sub-node. Let's open that up, and now let's go ahead and open up our Security Settings node below that. And finally, let's go to Local Policies, since this is a Local Policy we want to audit, so let's double click that.
Now, you'll notice we have Audit Policy, User Right Assignments, and Security Options. The Audit Policy is what we want to go ahead and create. To create an Audit Policy, we can double click the Audit Policy node. This will bring up all the different settings we can edit on the Local Computer. Let's go ahead and choose one of these, and just right click it. So, let's right click Audit Logon Events. Right click it and then click Properties. When we open up this Properties dialog box, you'll notice we can set this particular policy to either, Success, Failure, or we can have both of them checked on.
We, then, go ahead and apply the settings we choose and click OK. The Audit Logon Event policy is now set to log both successes and failures. Now, we have set an event to be audited, let's go ahead and look at the log where all the audits will be recorded. The best way to get to that is to go back to our Server Management tool. So, let's go ahead and minimize this. Now that we are in the Server Management, let's come to Tools, and then choose the Event Viewer.
Let's go ahead and make this larger so we can see it. Now, the Audit Log is a Windows Log, therefore, it would be under the Windows Log option. So, we double click the Windows Log option, we'll see five potential logs. The log we are interested in is the Security log. If we double click the Security log, it will bring up all the successes or failures that have been recorded since we've set that event.
- Configuring the Group Policy central store
- Configuring Group Policy settings
- Setting GPO states
- Setting up security policies
- Configuring user rights
- Configuring local users and groups
- Configuring software restriction rules
- Configuring Windows Firewall