System Audit

From: michael (
Date: 07/09/02

From: "michael" <>
Date: Tue, 9 Jul 2002 13:05:47 -0700

which platform? nt4, win2k?

for nt4:

- open usrmgr against the machine(s) in question.
- fromt he pull down menu, select policies --> audit
- check the "audit these events" box
- check the success and failures options for "restart,
shutdown, and system"

these events will now be logged in the event log.

for win2k:

- open the "local security policy" mmc
- choose computer configuration --> windows setttings -->
local policies --> audit policy
- enable success and failures for "audit system events"

>-----Original Message-----
>I was curious if anyone knows if you can audit a specific
>event. I just want to audit system shutdown and who might
>be doing that. I know it's probably a easy question I'm
>more of a developer but the admin left the company and
>just doing so basic stuff until a new one is hired.

Relevant Pages

  • Where this Audit Polciy comming from?
    ... Audit Policies on my domain. ... Domain Controllers Security Policies - Not define to all Audit Events ... Domain Security Policy - Not define to all Audit Events ...
  • Checking - will this Windows audit-tool be useful?
    ... I'm working on a Windows audit tool. ... I do a lot of Windows / Active Directory audits. ... policies, computer OS-versions, account settings, etc. ...
  • Folder Audit auf W2K Server
    ... ich würde gerne auf einem Unsere Server einen bestimmten Ordner überwachen ... local Policies unter Audit Policies "Audit Object access" enablen soll und ... dann bei dem Ordner das Audit einschalten. ...
  • Re: Audit domain logons
    ... certain changes you make in either User Manager> Policies> Audit or the ... Default DC GPO will map to each other one for one. ... need to enable both "Audit account logon events" and "Audit logon events." ...
  • Re: [PATCH 1/2] audit: fix NUL handling in untrusted strings
    ... byte is one example of prohibited interpretation. ... A primary purpose of the audit system is to log with the greatest ... if the kernel's behavior somehow depended on the bytes after NUL due to ...