Information Technology Reference
In-Depth Information
FIGURE 2-36
The Audit Logon Properties dialog box
The Logon/Logoff policy settings are straightforward success or failure settings. But
other settings, such as those for Global Object Access Auditing, are more involved and are
described in the following “Creating expression-based audit policies” section.
To ensure that advanced auditing isn't overridden by basic auditing policies, set the
Force Audit Policy Subcategory Settings (Windows Vista Or Later) To Override Audit Policy
Category Settings policy in the Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Security Options folder to Enabled.
Windows Server 2012 enables expression-based audit policies that enable you to audit only
the specific actions and users of interest. You can build expression-based audit policies for
either the file system or the registry by using Global Object Access Auditing. To enable an
expression-based audit of a file system folder, for example, follow these steps:
1.
In the GPMC, select the GPO for which you want to enable an expression-based audit
and select Edit from the context menu to open the Group Policy Management Editor.
2.
Double-click File System under Global Object Access Auditing in the Advanced
Audit Policy Configuration section of the Computer Configuration\Policies\Windows
Settings\Security Settings folder.
