How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain.

This article discusses how to use Group Policy to configure detailed security auditing settings for computers that are running Windows Vista or Windows Server 2008 in a Windows Server 2003 domain or in a Windows 2000 domain. In Windows Vista and in Windows Server 2008, you have more control over individual audit policy subcategories than you have in earlier versions of Windows operating systems. The individual audit policy subcategories that are available in Windows Vista are not exposed in the interface of Group Policy tools. Administrators can use the procedure that is described in this article to deploy a custom audit policy that applies detailed security auditing settings to Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2003 domain or in a Windows 2000 domain.

Things to consider

The following are some things to consider before you perform the procedure that this article discusses:

• The procedure uses sample code. The sample code uses the Netlogon share. Additionally, the sample code uses the %SystemRoot%\Temp folder as the cache.
• The procedure uses the Contoso.com sample domain.
• The procedure assumes that the following conditions are true:
  • You are familiar with the following technologies and tools:
    • Group Policy startup scripts
    • Group Policy Management Console
    • The Auditpol.exe command-line tool
  • You have a basic understanding of batch file processing.
• You are familiar with the scripts that the procedure uses work to override legacy domain-based audit policy settings with the detailed audit policy settings that are available in Windows Vista. If you do not want to configure the detailed audit policy settings that are available in Windows Vista, do not use the procedure that this article discusses.
• A legacy policy overwrites the auditpol settings only if the auditpol settings are defined explicitly in the legacy policy. This behavior is by design. Additionally, if the auditpol settings are specified as “No auditing” or as “not defined,” the auditpol settings have precedence and are not overwritten by the legacy policy.

Use Group Policy to configure detailed security auditing settings for computers

To use Group Policy to configure detailed security auditing settings for Windows Vista-based or Windows Server 2008-based computers in a Windows Server 2003 domain or in a Windows 2000 domain, follow these steps.

Step 1: Determine the security auditing settings that you want to deploy to Windows Vista-based or Windows Server 2008-based computers

1. Log on to a computer as a user who has administrator credentials.
2. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
3. In the User Account Control dialog box, click Continue.
4. Flush the default audit policy settings. To do this, type the following line at the command prompt, and then press ENTER:
   auditpol /clear
5. Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want.
   
   For example, type the following lines at the command prompt. Press ENTER after each line.
   auditpol /set /subcategory:"user account management" /success:enable /failure:enable
   auditpol /set /subcategory:"logon" /success:enable /failure:enable
   auditpol /set /subcategory:"IPSEC Main Mode" /failure:enable
   Note To see all possible categories and subcategories, type the following line at the command prompt, and then press ENTER:
   auditpol /list /subcategory:*
6. Type the following line at the command prompt, and then press ENTER:
   auditpol /backup /file:auditpolicy.txt
7. Copy the Auditpolicy.txt file to the Netlogon share of the domain controller that holds the primary domain controller (PDC) emulator role in the domain.
   
   The Auditpolicy.txt file contains all the audit policy settings that you configured. The startup script uses this file to reapply the policy. After you successfully apply the startup script one time, you do not have to restart the computer to update audit policy settings. To update audit policy settings, overwrite the earlier version of the Auditpolicy.txt file that you copied to the Netlogon share. To do this, create a new Auditpolicy.txt file, and then copy the new Auditpolicy.txt file to the Netlogon share.

Step 2: Create the scripts, and then add the scripts to the Netlogon share

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

1. Create the AuditPolicy.cmd script. To do this, follow these steps:
   1. Start Notepad, and then open a blank document.
   2. Paste the following code to the document in Notepad:

      @echo off
      
      REM AuditPolicy.cmd
      REM (c) 2006 Microsoft Corporation.  All rights reserved.
      REM Sample Audit Script to deploy Windows Vista
      REM Granular Audit Policy settings.
      
      REM Should be run as a startup script from Group Policy
      
      REM ###################################################
      REM Declare Variables so that we only need to edit file
      REM names/paths in one location in script
      REM ###################################################
      
      set AuditPolicyLog=%systemroot%\temp\auditpolicy.log
      set OSVersionSwap=%systemroot%\temp\osversionwap.txt
      set OsVersionTxt=%systemroot%\temp\osversion.txt
      set MachineDomainTxt=%systemroot%\temp\machinedomain.txt
      set MachineDomainSwap=%systemroot%\temp\machinedomainSwap.txt
      set ApplyAuditPolicyCMD=applyauditpolicy.cmd
      set AuditPolicyTxt=auditpolicy.txt
      
      REM ###################################################
      REM Clear Log & start fresh
      REM ###################################################
      
      if exist %AuditPolicyLog% del %AuditPolicyLog% /q /f
      date /t > %AuditPolicyLog% & time /t >> %AuditPolicyLog%
      echo.
      
      REM ###################################################
      REM Check OS Version
      REM ###################################################
      
      ver | findstr "[" > %OSVersionSwap%
      for /f "tokens=2 delims=[" %%i in (%OSVersionSwap%) do echo %%i > %OsVersionTxt%
      for /f "tokens=2 delims=] " %%i in (%OsVersionTxt%) do set osversion=%%i
      echo OS Version=%osversion% >> %AuditPolicyLog%
      
      REM ###################################################
      REM Skip Pre-Vista
      REM ###################################################
      
      if "%osversion%" LSS "6.0" exit /b 1
      
      REM ###################################################
      REM Get Domain Name
      REM ###################################################
      
      WMIC /namespace:\\root\cimv2 path Win32_ComputerSystem get domain /format:list > %MachineDomainSwap%
      find /i "Domain=" %MachineDomainSwap% > %MachineDomainTxt%
      for /f "Tokens=2 Delims==" %%i in (%MachineDomainTxt%) do set machinedomain=%%i
      echo Machine domain=%machinedomain% >> %AuditPolicyLog%
      
      REM ###################################################
      REM Copy Script & Policy to Local Directory or Terminate
      REM ###################################################
      
      xcopy \\%machinedomain%\netlogon\%ApplyAuditPolicyCMD% %systemroot%\temp\*.* /r /h /v /y
      if %ERRORLEVEL% NEQ 0 (
          echo Could not read \\%machinedomain%\netlogon\%ApplyAuditPolicyCMD% >> %AuditPolicyLog%
          exit /b 1
      ) else (
          echo Copied \\%machinedomain%\netlogon\%ApplyAuditPolicyCMD% to %systemroot%\temp >> %AuditPolicyLog%
      )
      
      xcopy \\%machinedomain%\netlogon\%AuditPolicyTxt% %systemroot%\temp\*.* /r /h /v /y
      if %ERRORLEVEL% NEQ 0 (
          echo Could not read \\%machinedomain%\netlogon\%AuditPolicyTxt% >> %AuditPolicyLog%
          exit /b 1
      ) else (
          echo Copied \\%machinedomain%\netlogon\%AuditPolicyTxt% to %systemroot%\temp >> %AuditPolicyLog%
      )
      
      REM ###################################################
      REM Create Named Scheduled Task to Apply Policy
      REM ###################################################
      
      %systemroot%\system32\schtasks.exe /create /ru System /tn audit /sc hourly /mo 1 /f /rl highest /tr "%systemroot%\temp\%ApplyAuditPolicyCMD%"
      if %ERRORLEVEL% NEQ 0 (
          echo Failed to create scheduled task for Audit >> %AuditPolicyLog%
          exit /b 1
      ) else (
          echo Created scheduled task for Audit >> %AuditPolicyLog%
      )
      
      REM ###################################################
      REM Start Named Scheduled Task to Apply Policy
      REM ###################################################
      
      %systemroot%\system32\schtasks.exe /run /tn audit
      if %ERRORLEVEL% NEQ 0 (
          Failed to execute scheduled task for Audit >> %AuditPolicyLog%
      ) else (
          echo Executed scheduled task for Audit >> %AuditPolicyLog%
      )

   3. On the File menu, click Save.
   4. In the Save as type box, click All Files, type AuditPolicy.cmd in the File name box, and then click Save.
2. Create the ApplyAuditPolicy.cmd script. To do this, follow these steps:
   1. Start Notepad, and then open a blank document.
   2. Paste the following code to the document in Notepad:

      @echo off
      
      REM ApplyAuditPolicy.cmd
      REM (c) 2006 Microsoft Corporation.  All rights reserved.
      REM Sample Audit Script to deploy Windows Vista
      REM Granular Audit Policy settings.
      
      
      REM ###################################################
      REM Declare Variables so that we only need to edit file
      REM names/paths in one location in script
      REM ###################################################
      
      set DeleteAudit=DeleteAudit.txt
      set AuditPolicyLog=%systemroot%\temp\AuditPolicy.log
      set ApplyAuditPolicyLog=%systemroot%\temp\ApplyAuditPolicy.log
      set OSVersionSwap=%systemroot%\temp\osversionwap.txt
      set OsVersionTxt=%systemroot%\temp\osversion.txt
      set MachineDomainTxt=%systemroot%\temp\machinedomain.txt
      set MachineDomainSwap=%systemroot%\temp\machinedomainSwap.txt
      set ApplyAuditPolicyCMD=ApplyAuditpolicy.cmd
      set AuditPolicyTxt=AuditPolicy.txt
      
      REM ###################################################
      REM Clear Log & start fresh
      REM ###################################################
      
      if exist %ApplyAuditPolicyLog% del %ApplyAuditPolicyLog% /q /f
      date /t > %ApplyAuditPolicyLog% & time /t >> %ApplyAuditPolicyLog%
      echo.
      
      REM ###################################################
      REM Check OS Version
      REM ###################################################
      
      ver | findstr "[" > %OSVersionSwap%
      for /f "tokens=2 delims=[" %%i in (%OSVersionSwap%) do echo %%i > %OsVersionTxt%
      for /f "tokens=2 delims=] " %%i in (%OsVersionTxt%) do set osversion=%%i
      echo OS Version=%osversion% >> %ApplyAuditPolicyLog%
      
      REM ###################################################
      REM Skip Pre-Vista
      REM ###################################################
      
      if "%osversion%" LSS "6.0" exit /b 1
      
      REM ###################################################
      REM Get Domain Name
      REM ###################################################
      
      WMIC /namespace:\\root\cimv2 path Win32_ComputerSystem get domain /format:list > %MachineDomainSwap%
      find /i "Domain=" %MachineDomainSwap% > %MachineDomainTxt%
      for /f "Tokens=2 Delims==" %%i in (%MachineDomainTxt%) do set machinedomain=%%i
      echo Machine domain=%machinedomain% >> %ApplyAuditPolicyLog%
      
      REM ###################################################
      REM Delete Audit Task
      REM Should only be used to remove the pseudo-policy from
      REM client machines (designed for future Vista revisions
      REM where this script will no longer be necessary, and this
      REM script needs to be backed out).
      
      REM to use, simply create a file in NETLOGON with a name
      REM that matches the contents of DeleteAudit variable (above)
      REM ###################################################
      
      if exist \\%machinedomain%\netlogon\%DeleteAudit% (
          %systemroot%\system32\schtasks.exe /delete /tn "Audit" /F
          DEL %AuditPolicyLog%
          DEL %ApplyAuditPolicyLog%
          DEL %OSVersionSwap%
          DEL %OsVersionTxt%
          DEL %MachineDomainTxt%
          DEL %MachineDomainSwap%
          DEL %systemroot%\temp\%ApplyAuditPolicyCMD%
          DEL %systemroot%\temp\%AuditPolicyTxt%
          exit /b 1
      ) 
      
      REM ###################################################
      REM Copy Audit Policy to Local Directory
      REM This is tolerant of failures since the copy is just
      REM a "cache refresh".
      REM ###################################################
      
      xcopy \\%machinedomain%\netlogon\%AuditPolicyTxt% %systemroot%\temp\*.* /r /h /v /y
      if %ERRORLEVEL% NEQ 0 (
          echo Could not read \\%machinedomain%\netlogon\%AuditPolicyTxt% so using previous cached copy>> %ApplyAuditPolicyLog%
      ) else (
          echo Copied \\%machinedomain%\netlogon\%AuditPolicyTxt% to %systemroot%\temp >> %ApplyAuditPolicyLog%
      )
      
      REM ###################################################
      REM Apply Policy
      REM ###################################################
      
      %systemroot%\system32\auditpol.exe /restore /file:%systemroot%\temp\%AuditPolicyTxt%
      if %ERRORLEVEL% NEQ 0 (
          Failed to apply audit settings >> %ApplyAuditPolicyLog%
      ) else (
          echo Successfully applied audit settings >> %ApplyAuditPolicyLog%
      )

   3. On the File menu, click Save.
   4. In the Save as type box, click All Files, type ApplyAuditPolicy.cmd in the File name box, and then click Save.
3. Copy the AuditPolicy.cmd script and the ApplyAuditPolicy.cmd script to the Netlogon share of the domain controller that holds the PDC emulator role in the domain.
4. Wait until Active Directory replication occurs. Also, wait until the files and folders in the system volume (SYSVOL) shared folder replicate on domain controllers in the domain.
5. Add the startup script to the Default Domain Policy. To do this, follow these steps:
   1. Start the Active Directory Users and Computers tool.
   2. Right-click DomainName, and then click Properties.
   3. Click the Group Policy tab, click Default Domain Policy, and then click Edit. The Group Policy Object Editor tool starts.
   4. Expand Computer Configuration, expand Windows Settings, and then click Scripts (Startup/Shutdown).
   5. Double-click Startup, and then click Add.
   6. In the Script Name box, type the universal naming convention (UNC) path of the AuditPolicy.cmd file that is located in the Netlogon share. Use the following format:
      \\FullyQualifiedDomainName\Netlogon\AuditPolicy.cmd
      For example, type \\contoso.com\netlogon\auditpolicy.cmd.
   7. Click OK two times.

Step 3: Verify that the security auditing settings are successfully applied

1. Wait until Active Directory replication occurs. Also, wait until the files and folders in the system volume (SYSVOL) shared folder replicate on domain controllers in the domain.
2. Restart a computer that is joined to the domain. Then, log on to the computer as a user who has administrator credentials.
3. Click Start, point to All Programs, and then click Accessories.
4. Right-click Command Prompt, and then click Run as administrator.
5. In the User Account Control dialog box, click Continue.
6. Type the following line at the command prompt, and then press ENTER:
   auditpol /get /category:*
7. Verify that the security auditing settings that are displayed at the command prompt match the settings that are configured in the AuditPolicy.txt file that you created in "Step 1: Determine the security auditing settings that you want to deploy to Windows Vista-based or Windows Server 2008-based computers."
   
   If the security auditing settings do not match, examine the log files that are generated by the startup script in the %SystemRoot%\Temp folder. If no log files exist in the %SystemRoot%\Temp folder, examine the computer to determine why Group Policy was not applied.

For more information about how to configure startup scripts in Active Directory, visit the following Microsoft Web sites: For more information about Group Policy Management Console, visit the following Microsoft Web site:For more information about the Auditpol.exe command-line tool and the Schtasks.exe command-line tool, see Windows Vista Help and Support.