If you choose to audit access to objects as part of your audit policy, you must turn on either the audit directory service access category (for auditing objects on a domain controller) or the audit object access category (for auditing objects on a member server or Windows 2000 Professional system. Once you have turned on the correct object access category, you can use each individual object's properties to specify whether to audit successes or failures for the permissions granted to each group or user. The phrase "successes or failures for the permissions granted to each group or user" is kind of ethereal, bordering on management-speak. That means that we can set up auditing for a file (say resume.doc) or a resource (say the check printer in the payroll department). Auditing will report that Billy Bob successfully accessed the file resume.doc, but when he tried to print something out on the check printer in payroll, he was unsuccessful. It is important to note that auditing can be considered nonjudgmental. Auditing just tells you that Billy Bob got into the file. You (or someone like you) have to determine if Billy Bob was supposed to get into that file!
Was this article helpful?