A policy established on a domain in Microsoft Windows NT and Windows 2000 to specify which kinds of security events are recorded in the security log.
An Audit policy can be configured using the Policies menu in User Manager for Domains. When an Audit policy is configured on a domain controller using this tool, the policy affects the security logs for all domain controllers in that domain. If the Audit policy is configured on a member server or workstation, it is valid only for that machine. The following table shows the different kinds of events that can be audited by establishing an Audit policy. You can view the results of establishing your Audit policy by using Event Viewer.
| Type of Event | Description |
| Logon and logoff | Users logging on and off and forming network connections |
| File and object access | Users accessing a file, folder, or printer on a network |
| Use of user rights | A right has been exercised—for example, backing up files and directories |
| User and group management | An account has been modified, created, or deleted |
| Security policy changes | A change has been made to an Audit policy, a trust relationship, or user rights |
| Restart, shutdown, and system | The system has been shut down or restarted, or system security has changed |
| Process tracking | A process has been started or stopped, or some related activity has occurred |
These are the requirements for establishing an Audit policy in Windows NT:
Note: To configure an Audit policy in Windows 2000, use the Computer Management administrative tool, open the System Tools folder, and select the Group Policy Editor.
TIP: Be careful when enabling auditing for File and Object Access or Process Tracking, as logging these events can generate a large amount of overhead on your system. To audit access to a file, folder, or printer, first enable File and Object Access auditing in your Audit policy, and then access the Security tab on the object’s property sheet.