Audit Policies

Types of Audit Policies

1. Logon/Logoff Events: Tracks when users log on and off the system.

2. Object Access: Monitors when files, folders, and other objects are accessed.

3. Account Logon: Monitors when users authenticate against a domain controller (for domain-based systems).

4. Directory Service Access: Audits access to Active Directory objects.

5. Account Management: Tracks changes to user accounts, group memberships, and permissions.

6. Logon/Logoff Events: Captures successful and failed login attempts.

7. Privilege Use: Tracks the use of sensitive system privileges, like changing system time or backing up files.

8. System Events: Audits system-level events such as system shutdowns, restarts, or system service changes.

---

Configuring Audit Policies through Group Policy

1. Open the Group Policy Editor

• Press Win + R, type gpedit.msc, and press Enter.

2. Navigate to the Audit Policy Settings

• For local policies, go to:

  Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies

3. Configure Audit Policies

Under Advanced Audit Policy Configuration, you'll see several categories of policies, such as:

• Account Logon

• Logon/Logoff

• Object Access

• Account Management

• Directory Service Access

• Privilege Use

• System Events

This policies configurations may vary depending to organisation & organisations so please check the policy path and enable the policy settings according to compliance requirement of the organisation