Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows 2003
    - Admin Tips
      - Security
        Auditing on a per-user basis

Section(s): Security
Published on Mar 01, 2006.
Last Modified on Mar 01, 2006.
Last Modified by Mitch Tulloch.
Rated 2.8 out of 5 based on 5 votes.

How to configure per-user auditing.

Windows Server 2003 Service Pack 1 lets you do something you couldn't do on previous platforms, namely configure audit settings on a per-user basis. This new feature is called "Per-User Selective Audit" and was actually present in Windows Server 2003 RTM but by mistake the command-line tool auditusr.exe wasn't included for that platform.

Per-user auditing can be used for example when you want to audit only logon/logoff events for all users, while for one particular user you are suspicious about you want to audit *all* audit settings. In other words, it's a good tool for drilling in on suspicious activity on your network.

To configure per-user auditing you use the auditusr.exe tool, and to find out how to do this, open a command prompt window and type auditusr /? for instructions.

About Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .