Configuring Per-User Auditing

Q: In the Windows audit policy, an administrator can specify whether to log the success and/or failure events of different event categories (e.g., object access, logon/logoff). Does Windows provide a mechanism to define this audit policy more granularly, such as on a per-user basis? I want to specify an audit policy that logs only the failure logon/logoff events of the Administrator account. Currently, the most granular policy I can specify is to log the logon/logoff failures of all the accounts in the domain.

A: In Windows XP SP2 and Windows Server 2003, Microsoft introduced per-user auditing, which provides the functionality you’re looking for. Per user-auditing is also supported in Windows Server 2008 and Windows Vista.

Per-user auditing lets an administrator define exceptions to the Windows audit policy (i.e., the audit policy you define in the Group Policy Object—GPO—settings) on a per-user basis. However, exceptions can’t be defined for the Administrator account or for members of the Administrators group. In fact, exceptions can’t be defined for any groups—only for individual user accounts.

Per-user auditing can be configured only from the command line by using the auditusr.exe tool in Windows 2003 SP1 and XP SP2, and the auditpol.exe tool in Server 2008 and Vista. You can define either inclusion (e.g., log object-access success events for only user Joe) or exclusion (e.g., log object-access success events for everyone except user Joe) exceptions. To audit only the actions of a small set of accounts, you must leave the default auditing policy turned off in the GPO settings, and then use auditusr or auditpol to tell your system to audit certain event categories for particular user accounts only. To audit certain event categories for everyone except for a small number of accounts, you must turn on auditing in the GPO settings, which typically audits the events for all user accounts, and then use auditusr or auditpol to exempt particular user accounts from the GPO-level audit policy.

The following is a sample auditusr command that tells Windows not to log object-access success events for account Joe:

auditusr /es MydomainJoe:"Object Access" 

The first auditusr parameter (/es) is the most complex. The /es switch tells auditusr to exclude success events of a given event category for a particular user account, even if these success events are enabled in the GPO-level audit policy. Other options for this parameter include the following:
• /ef—Use this switch to exclude failure events, even if the GPO-level audit policy is set to include failure events.
• /is—Use this switch to include success events, even if the GPO-level audit policy is set to exclude success events.
• /if—Use this switch to include failure events, even if the GPO-level audit policy is set to exclude failure events.

The second parameter (Mydomain) of the auditusr command specifies the account name the exception applies to. The last parameter (“Object Access”) specifies the event category the exception applies to. This parameter must always be in quotation marks and can be one of the following event categories:
• System Event
• Logon/Logoff
• Object Access
• Privilege Use
• Detailed Tracking
• Policy Change
• Account Management
• Directory Service Access
• Account Logon

In Server 2008 and Vista, run the following auditpol command to tell Windows not to log object-access success events for account Joe:

auditpol /set /user:MydomainJoe 
/Category:"Object Access" 
/success:enable /exclude 

Many of the auditpol switches in this command are self-explanatory. The switch that deserves more explanation is /category. The /category switch supports all the audit categories that are supported by the auditusr command, which are listed above. A related switch, /subcategory, is a new switch that lets administrators fine-tune the per-user audit policy even more than is possible in XP SP2 and Windows 2003. For example, you can now specify that you want Windows to log only the success of registry or file system object-access events. In that case, all the other object-access events that occur on the system won’t be logged.

To get an overview of all the audit categories and subcategories that are available in Server 2008 and Vista, run the following auditpol command:

Auditpol /list /subcategory:* 

For more information about the auditpol command, go to http://support.microsoft.com/kb/921469.