How to view advanced audit policy configuration?
- Advanced auditing allows for more granular audit configuration, so that only events you are interested in capturing are written to the Event Log.
- The new settings can be found in Group Policy under:
Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration.
The original audit settings can be found here:
Security Settings\Local Policies\Audit Policy.
- Enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings in Group Policy to make sure that basic auditing is disabled.
- The setting can be found under
ComputerConfiguration\Policies\Security Settings\Local Policies\Security Options, and sets the SCENoApplyLegacyAuditPolicyregistry key to prevent basic auditing being applied using Group Policy and the Local Security Policy MMC snap-in.
- Now that you’ve disabled basic auditing, you can navigate to the Advanced Audit Policy Configuration node and enable auditing for any of the subcategories. In the new advanced configuration there are four different account logon events that can be audited:
- Audit Credential Validation
- Audit Kerberos Authentication Service
- Audit Kerberos Service Ticket Operations
- Audit Other Account Logon Events