Advanced Audit Policy Configuration
Advanced Audit Policy provides granular control over what events are logged on a Windows system. It replaces the legacy audit categories with a more detailed set of subcategories.
Why Use Advanced Audit Policy?
- Fine‑grained selection of events to audit
- Better alignment with compliance standards (PCI‑DSS, ISO 27001, etc.)
- Reduced noise in the security log
- Enhanced reporting capabilities
Key Concepts
| Term | Description |
|---|---|
| Category | High‑level grouping (e.g., Account Logon) |
| Subcategory | Specific event type within a category (e.g., Logon) |
| Success/Failure | Audit actions when they succeed, fail, or both |
Configuring via Group Policy
- Open Group Policy Management (gpmc.msc).
- Create or edit a GPO that applies to the target computers.
- Navigate to
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies. - Expand a category and enable the desired subcategories for Success, Failure, or both.
- Run
gpupdate /forceon target machines.
PowerShell Example
# Enable auditing for user account changes (both success and failure)
Set-AuditPolicy -Category AccountManagement -SubCategory "User Account Management" -Success $true -Failure $true
# Verify configuration
Get-AuditPolicy -Category AccountManagement
Common Subcategories
- Logon/Logoff – Successful and failed logon attempts.
- Object Access – File, registry, and other object accesses.
- Policy Change – Modifications to audit policy, user rights, etc.
- Process Creation – Tracking new processes and their command lines.
Best Practices
- Start with a baseline template (Microsoft provides policy templates).
- Enable only the subcategories needed for your compliance goals.
- Regularly review the Security log for unexpected events.
- Combine with Microsoft Sentinel or a SIEM for advanced analytics.