Each Windows system on your network has nine audit policy categories and policy subcategories, which you can enable or disable.
You will see policy settings for only the main categories:
When you open an audit policy, you may or may not be able to modify it, depending on whether the policy has been defined in a Group Policy Object (GPO) that has been applied to the local system.
- Audit account logon events;
- Audit logon events;
- Audit account management;
- Audit directory service access;
- Audit object access;
- Audit policy change;
- Audit privilege use;
- Audit process tracking;
- Audit system events;
Run the Group Policy editor:
1 | gpedit.msc |
Go to Advanced Audit Policy Configuration – Audit Policies – Object Access, and setup as following: Audit File System – Define – Success and Failures
If you have Windows 10 version then you can set this feature:
Audit Handle Manipulation – Define – Success and Failures
See the next image:
