Configuring Advanced Audit Policy Manually for Windows Workstations

 

ADAudit Plus collects data logged in the security logs of configured Workstations and provides reports. Data logged in security logs of the above objects depends upon the Audit Policy / Advanced Audit Policy (Available in 2008 R2, Windows 7 & above) configured for the respective object.

Configuring the Advanced Audit Policy ensures only the required security logs for auditing are collected, ensuring the disk space does not fill fast with unwanted logs.

 

Configuring Advanced Audit Policy for Workstations in Windows (2008 R2, Windows 7 & above) Server Environment:

Advanced audit policy is to be configured in the GPO that is applied on all selected Workstations to collect only the required security logs for auditing.

 

What Advanced Audit Policies are to be established in the GPO?

 

To audit Logon / Logoff: Select Logon / Logoff → Configure Logon (Success & Failure), Audit Logoff (Success), Network Policy Server (Success & Failure), Other Logon / Logoff Events (Success).

 

Step by Step Procedure to edit the GPO:

1. Log on to Windows with an account that has Administrator rights.

2. Ensure that the Group Policy snap-in is installed.

3. Open the GPMC (Group Policy Management Console) in Windows Servers.

4. Navigate to the 'GPO' that is applied on all selected Workstations.

Group Policy Management Console -> Domain Controllers ->GPO applicable for Workstations

5. Right click the GPO and Click on 'Edit'.

6. From the Group Policy Management Editor Navigate to 'Audit Policies' node,

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies.

 

7. From the right pane, double-click the policy that you want to configure (enable / disable).