An Easy Way to Create a Global Audit Policy

Log on to your domain as a member of the local Administrators group and start the Group Policy Management Console (GPMC).

In the console tree, navigate to DomainsGroup Policy ObjectsDefault Domain Controllers Policy, where is the name of your domain. Right-click Default Domain Controllers Policy and click Edit.

In the Group Policy Management Editor, navigate to the Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationSystem Audit Policies container.

Double-click Object Access, then double-click Audit Registry. Select the Configure the following audit events check box, select the Success and Failure check boxes, and click OK.

Double-click Global Object Access Policies, then double-click Registry. Select the Define this policy setting check box and click Configure.

In the Advanced Security Settings for Global Registry SACL box, click Add. Add all default administrator groups (e.g., Domain Admins, Enterprise Admins) to the list and other custom administrator groups that you've defined and want to audit.

In the Auditing Entry for Global Registry SACL box, select the Successful or Failed activities (e.g., Create Subkey, Delete, Change Permissions, Read) for which you want to log audit entries.

Click OK three times to complete the audit policy configuration.

Apply the Group Policy Object (GPO) change. On each of your DCs, open a command prompt and run the command:

gpupdate /force