Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows 2003
    - Admin Tips
      - Security
        Auditing on a per-user basis

Section(s): Security
Published on Mar 01, 2006.
Last Modified on Mar 01, 2006.
Last Modified by Mitch Tulloch.
Rated 2.8 out of 5 based on 5 votes.

How to configure per-user auditing.

Windows Server 2003 Service Pack 1 lets you do something you couldn't do on previous platforms, namely configure audit settings on a per-user basis. This new feature is called "Per-User Selective Audit" and was actually present in Windows Server 2003 RTM but by mistake the command-line tool auditusr.exe wasn't included for that platform.

Per-user auditing can be used for example when you want to audit only logon/logoff events for all users, while for one particular user you are suspicious about you want to audit *all* audit settings. In other words, it's a good tool for drilling in on suspicious activity on your network.

To configure per-user auditing you use the auditusr.exe tool, and to find out how to do this, open a command prompt window and type auditusr /? for instructions.

About Mitch Tulloch

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is the book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch was also the author of Introducing Windows Server 2008 and technical project lead for the Microsoft Office Communications Server 2007 Resource Kit, both books also from Microsoft Press. For more information on these and other books by Mitch, see www.mtit.com .