Each Windows system on your network has nine audit policy categories and policy subcategories, which you can enable or disable.
You will see policy settings for only the main categories:
When you open an audit policy, you may or may not be able to modify it, depending on whether the policy has been defined in a Group Policy Object (GPO) that has been applied to the local system.
  • Audit account logon events;
  • Audit logon events;
  • Audit account management;
  • Audit directory service access;
  • Audit object access;
  • Audit policy change;
  • Audit privilege use;
  • Audit process tracking;
  • Audit system events;
Run the Group Policy editor:

Go to Advanced Audit Policy Configuration – Audit Policies – Object Access, and setup as following: Audit File System – Define – Success and Failures

If you have Windows 10 version then you can set this feature:

Audit Handle Manipulation – Define – Success and Failures

See the next image:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »