Local audit policies must be configured on the target servers to get the “Who” and “When” values for the changes to the following monitored system components:
- Audit policies
- File shares
- Hardware and system drivers
General computer settings
- Local users and groups
- Scheduled tasks
- Windows registry
- Removable media
You can also configure advanced audit policies for same purpose. See Configure Advanced Audit Policies for more information.
While there are several methods to configure local audit policies, this guide covers just one of them: how to configure policies locally with the Local Security Policy snap-in. To apply settings to the whole domain, use the Group Policy but consider the possible impact on your environment.
To configure local audit policies
- On the audited server, open the Local Security Policy snap-in: navigate to Start → Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) → Local Security Policy.
Navigate to Security Settings → Local Policies → Audit Policy.
Policy Name Audit Events
Audit account management
Audit object access
Audit policy change