Windows security auditing

This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists SACL. A user who is assigned this user right can also view and clear the Security log in Event Viewer.

For more info about the Object Access audit policy, see Audit object access. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful?

Please rate your experience Yes No. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking. In addition, if you enable success auditing for the basic Audit account logon events setting, only success events will be logged for all account logon—related behaviors.

In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.

Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server The advanced settings can only be used on computers running Windows 7, Windows Server , and later. Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy.

When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.

Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object GPO , so changes made here may not be exactly reflected in Auditpol.

Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy.

Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored.

However, an inherited policy can be overridden by a GPO that is linked at a lower level. For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level unless you have taken special steps to apply Group Policy loopback processing.

The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior. All objects in Active Directory Domain Services AD DS , and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects.

Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list ACL of an object, which includes all of the security permissions that apply to that object.

An object's security descriptor can contain two types of ACLs:. The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects.

If permissions are configured for an object, its security descriptor contains a DACL with security identifiers SIDs for the users and groups that are allowed or denied access. Thanks for your feedback, it helps us improve the site. In reply to SarahKong's post on February 22, Thanks for your reply Sarah Kong, I have installed Malwarebytes recently after finding out the event viewer was filled with many logs saying "An account was successfully logged on.

I believe what is happening is your antiivrus is logging events to the event viewer and when it does that you get an alert. See link below to turn it off. Note: This is a non-Microsoft website. The page appears to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as a PUP Potentially Unwanted Products.

Thoroughly research any product advertised on the site before you decide to download and install it. This site in other languages x.