Event Auditing

There are many events that can be selected to monitor. Some of the recommended ones are:

Audit Account Management - to determine when a user or group is created, changed, or deleted. When a user account is renamed, disabled, or enabled. Or when a password is changed on a user account.

Audit Directory Service Access - provides a low-level audit trail of changes to objects in AD. This is like Audit account management, but you can identify exactly which fields of a user account or any other AD object were accessed. Audit directory service access is the only way to track changes to OUs and GPOs, which can be important for change-control purposes.

Audit Logon Events - defines the auditing of every user attempt to log on to or log off from a computer within the domain.

Audit Policy Change - determines whether the operating system generates audit events when changes are made to audit policy.

Audit Privilege Use - tracks the exercise of user rights.

Audit Process Tracking - tracks each program that is executed, either by the system or by end users.

Audit System Events - eclectic mix of system events relevant to security including system start-up and shutdown, or when an event occurs that affects either system security or the security log.