Configure Local Audit Policies

Local audit policies must be configured on the target servers to get the “Who” and “When” values for the changes to the following monitored system components:

  • Audit policies
  • File shares
  • Hardware and system drivers
  • General computer settings

  • Local users and groups
  • Services
  • Scheduled tasks
  • Windows registry
  • Removable media

You can also configure advanced audit policies for same purpose. See Configure Advanced Audit Policies for more information.

Manual Configuration

While there are several methods to configure local audit policies, this guide covers just one of them: how to configure policies locally with the Local Security Policy snap-in. To apply settings to the whole domain, use the Group Policy but consider the possible impact on your environment.

To configure local audit policies

  1. On the audited server, open the Local Security Policy snap-in: navigate to Start Windows Administrative Tools (Windows Server 2016 and higher) or Administrative Tools (Windows 2012) Local Security Policy.
  2. Navigate to Security Settings Local Policies Audit Policy.

    Policy Name Audit Events

    Audit account management


    Audit object access


    Audit policy change


Configuration via Group Policy

Personnel with administrative rights can use Group Policy Objects to apply configuration settings to multiple servers in bulk.

To configure audit policies (Windows Server 2008 R2 and later)

  1. Open the Group Policy Management console on the domain controller, browse to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit Policies.
  2. Configure the following audit policies:
    Policy Sub-nodePolicy NameAudit Events

    Account Management


    Audit Computer Account Management


    Audit Security Group Management



    Audit User Account Management


    Object AccessAudit Handle Manipulation"Success"
    Audit Other Object Access Events"Success"
    Audit Registry"Success"
    Audit File Share"Success"
    Policy ChangeAudit Audit Policy Change"Success"

When finished, run the gpupdate /force command to force group policy update.