System Audit

From: michael (
Date: 07/09/02

From: "michael" <>
Date: Tue, 9 Jul 2002 13:05:47 -0700

which platform? nt4, win2k?

for nt4:

- open usrmgr against the machine(s) in question.
- fromt he pull down menu, select policies --> audit
- check the "audit these events" box
- check the success and failures options for "restart,
shutdown, and system"

these events will now be logged in the event log.

for win2k:

- open the "local security policy" mmc
- choose computer configuration --> windows setttings -->
local policies --> audit policy
- enable success and failures for "audit system events"

>-----Original Message-----
>I was curious if anyone knows if you can audit a specific
>event. I just want to audit system shutdown and who might
>be doing that. I know it's probably a easy question I'm
>more of a developer but the admin left the company and
>just doing so basic stuff until a new one is hired.

Relevant Pages

  • Where this Audit Polciy comming from?
    ... Audit Policies on my domain. ... Domain Controllers Security Policies - Not define to all Audit Events ... Domain Security Policy - Not define to all Audit Events ...
  • Checking - will this Windows audit-tool be useful?
    ... I'm working on a Windows audit tool. ... I do a lot of Windows / Active Directory audits. ... policies, computer OS-versions, account settings, etc. ...
  • Folder Audit auf W2K Server
    ... ich w├╝rde gerne auf einem Unsere Server einen bestimmten Ordner ├╝berwachen ... local Policies unter Audit Policies "Audit Object access" enablen soll und ... dann bei dem Ordner das Audit einschalten. ...
  • Re: Audit domain logons
    ... certain changes you make in either User Manager> Policies> Audit or the ... Default DC GPO will map to each other one for one. ... need to enable both "Audit account logon events" and "Audit logon events." ...
  • Re: [PATCH 1/2] audit: fix NUL handling in untrusted strings
    ... byte is one example of prohibited interpretation. ... A primary purpose of the audit system is to log with the greatest ... if the kernel's behavior somehow depended on the bytes after NUL due to ...