Configure Audit Policy by Using GPOs

Auditing is an important security feature that allows you to log events about specific activities into Windows security logs. You can then monitor these events to understand the issues that need your attention. An audit policy allows you to find out the success or failure of audited events such as logon account, object access or directory service change events. Auditing involves three management tools: audit policy, audit settings on object, and the security log.

To audit file or folder access you must add auditing entries to the SACL (System Access Control List) of the files and folders and then define Audit Object Access Policy setting. The SACL of an Active Directory object specifies things such as the account that will be tracked, the type of access that will be tracked, such as read, create, and modify, and success or failure access to the object.

You can configure permissions and auditing on a folder following the steps given below:
  1. Create a group called grp_notepad so that you can use it to deny access to a folder.
  2. Right-click the folder in which you want to enable auditing and select the Properties option to see the Properties window
  3. Click Security tab and add a group grp_notepad and deny Full Control permission to the group.
  4. Click the Advanced button and then click Auditing tab from the Advanced Security Settings window of the folder, as shown in Figure.
  5. Click edit and then add the grp_notepad group to the window that appears and click OK.
  6. Select the Failed checkbox next to the Full control field in the Audit Entry dialog box that appears and click OK, as shown in Figure 5-28:
  7. Figure 5-28
To enable audit policy for the default security policy on a domain controller, you need to:
  1. Click Start-> Settings->Control Panel->Administrative Tools->Group Policy Management
  2. Right-click Default Domain Controllers Policy under the Group Policy Objects container, and then click Edit. The GPME appears.
  3. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
  4. Double-click Audit object access in the right pane.
  5. Select Define these policy settings opting in the Audit object access Properties window that appears, as shown in Figure 5-29.
  6. Select Failure check box and then click OK to close the console.
  7. Type gpupdate at the command prompt of a server and then press ENTER. The policy will be updated.
    Figure 5-30

    You need to then finally evaluate the resulting audit entries in the security log. Windows Server 2008 provides more detailed auditing of changes to objects in AD. To enable this category of auditing you need to use Auditpol.exe.