{
	"id": "d13ef5f3-ccd0-4495-908c-14b3d2169958",
	"created_at": "2026-04-06T00:21:10.61706Z",
	"updated_at": "2026-04-10T03:21:11.908063Z",
	"deleted_at": null,
	"sha1_hash": "36342a14bb76782e4d44d01634281e167c025062",
	"title": "Advanced Audit Policy Configuration settings",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47830,
	"plain_text": "Advanced Audit Policy Configuration settings\r\nBy robinharwood\r\nArchived: 2026-04-05 21:13:34 UTC\r\nThe Advanced Audit Policy Configuration settings are found under Computer Configuration\\Windows\r\nSettings\\Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies in Group Policy.\r\nThese settings enable organizations to monitor compliance with key business and security requirements by\r\ntracking specific activities, such as:\r\nYou can access these audit policy settings through the Local Security Policy snap-in ( secpol.msc ) on the local\r\ncomputer or by using Group Policy.\r\nThese advanced audit policy settings provide granular control over which activities are monitored, allowing you to\r\nfocus on events that are most relevant to your organization. You can exclude auditing for actions that aren't\r\nimportant or that generate unnecessary log volume. Additionally, because these policies can be managed through\r\ndomain Group Policy Objects, you can easily modify, test, and deploy audit configurations to specific users and\r\ngroups as needed.\r\nAccount Logon\r\nConfiguring policy settings in this category can help you document attempts to authenticate account data\r\non a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy\r\nsettings and events, which track attempts to access a particular computer, settings and events in this\r\ncategory focus on the account database that is used. This category includes the following subcategories:\r\nExpand Audit Credential Validation policy\r\nExpand Audit Kerberos Authentication Service policy\r\nExpand Audit Kerberos Service Ticket Operations policy\r\nExpand Audit Other Account Logon Events\r\nAccount Management\r\nThe security audit policy settings in this category can be used to monitor changes to user and computer\r\naccounts and groups. This category includes the following subcategories:\r\nExpand Audit Application Group Management policy\r\nExpand Audit Computer Account Management policy\r\nDetailed Tracking\r\nhttps://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)\r\nPage 1 of 4\n\nDetailed Tracking security policy settings and audit events can be used to monitor the activities of\r\nindividual applications and users on that computer, and to understand how a computer is being used. This\r\ncategory includes the following subcategories:\r\nExpand Audit DPAPI Activity policy\r\nExpand Audit PNP Activity policy\r\nExpand Audit Process Creation policy\r\nExpand Audit Process Termination policy\r\nExpand Audit RPC Events policy\r\nExpand Audit Token Right Adjustment policy\r\nDS Access\r\nDS Access security audit policy settings provide a detailed audit trail of attempts to access and modify\r\nobjects in Active Directory Domain Services (AD DS). These audit events are logged only on domain\r\ncontrollers. This category includes the following subcategories:\r\nExpand Audit Detailed Directory Service Replication policy\r\nExpand Audit Directory Service Access policy\r\nExpand Audit Directory Service Changes policy\r\nExpand Audit Directory Service Replication policy\r\nLogon/Logoff\r\nLogon/Logoff security policy settings and audit events allow you to track attempts to sign into a computer\r\ninteractively or over a network. These events are useful for tracking user activity and identifying potential\r\nattacks on network resources. This category includes the following subcategories:\r\nExpand Audit Account Lockout policy\r\nExpand Audit User / Device Claims\r\nExpand Audit Group Membership policy\r\nExpand Audit IPsec Extended Mode policy\r\nExpand Audit IPsec Main Mode policy\r\nExpand Audit IPsec Quick Mode policy\r\nExpand Audit Logoff policy\r\nExpand Audit Logon policy\r\nExpand Audit Network Policy Server policy\r\nExpand Audit Other Logon/Logoff Events policy\r\nExpand Audit Special Logon policy\r\nObject Access\r\nhttps://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)\r\nPage 2 of 4\n\nObject Access policy settings and audit events allow you to track attempts to access specific objects or\r\ntypes of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any\r\nother object, you must enable the appropriate Object Access auditing subcategory for success and/or failure\r\nevents. For example, the File System subcategory needs to be enabled to audit file operations, and the\r\nRegistry subcategory needs to be enabled to audit registry accesses. This category includes the following\r\nsubcategories:\r\nExpand Audit Application Generated policy\r\nExpand Audit Certification Services policy\r\nExpand Audit Detailed File Share policy\r\nExpand Audit File Share policy\r\nExpand Audit File System policy\r\nExpand Audit Filtering Platform Connection policy\r\nExpand Audit Filtering Platform Packet Drop policy\r\nExpand Audit Handle Manipulation policy\r\nExpand Audit Kernel Object policy\r\nExpand Audit Other Object Access Events policy\r\nExpand Audit Registry policy\r\nExpand Audit Removable Storage policy\r\nExpand Audit SAM policy\r\nExpand Audit Central Access Policy Staging policy\r\nPolicy Change\r\nPolicy Change audit events allow you to track changes to important security policies on a local system or\r\nnetwork. Because policies are typically established by administrators to help secure network resources,\r\nmonitoring changes or attempts to change these policies can be an important aspect of security\r\nmanagement for a network. This category includes the following subcategories:\r\nExpand Audit Policy Change policy\r\nExpand Audit Authentication Policy Change policy\r\nExpand Audit Authorization Policy Change policy\r\nExpand Audit Filtering Platform Policy Change policy\r\nExpand Audit MPSSVC Rule-Level Policy Change policy\r\nExpand Audit Other Policy Change Events policy\r\nPrivilege Use\r\nPermissions on a network are granted for users or computers to complete defined tasks. Privilege Use\r\nsecurity policy settings and audit events allow you to track the use of certain permissions on one or more\r\nsystems. This category includes the following subcategories:\r\nhttps://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)\r\nPage 3 of 4\n\nExpand Audit Non-Sensitive Privilege Use policy\r\nExpand Audit Other Privilege Use Events policy\r\nExpand Audit Sensitive Privilege Use policy\r\nSystem\r\nSystem security policy settings and audit events allow you to track system-level changes to a computer that\r\naren't included in other categories and that have potential security implications. This category includes the\r\nfollowing subcategories:\r\nExpand Audit IPsec Driver policy\r\nExpand Audit Other System Events policy\r\nExpand Audit Security State Change policy\r\nExpand Audit Security System Extension policy\r\nExpand Audit System Integrity policy\r\nGlobal Object Access\r\nGlobal Object Access Auditing policy settings allow administrators to define computer SACLs per object\r\ntype for the file system or for the registry. The specified SACL is then automatically applied to every object\r\nof that type.\r\nAuditors are able to prove that every resource in the system is protected by an audit policy by viewing the\r\ncontents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting\r\ncalled \"Track all changes made by group administrators,\" they know that this policy is in effect.\r\nResource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access\r\nAuditing policy to log all the activity for a specific user and enabling the policy to track \"Access denied\"\r\nevents for the file system or registry can help administrators quickly identify which object in a system is\r\ndenying a user access.\r\nIf you select the Define this policy setting check box on the policy’s property page, then select Configure,\r\nyou can add a user or group to the global SACL. This enables you to define computer SACLs per object\r\ntype for the file system. The specified SACL is then automatically applied to every file system object type.\r\nExpand File System (Global Object Access Auditing) policy\r\nExpand Registry (Global Object Access Auditing) policy\r\nSource: https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)\r\nhttps://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)"
	],
	"report_names": [
		"dn311461(v=ws.11)"
	],
	"threat_actors": [],
	"ts_created_at": 1775434870,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36342a14bb76782e4d44d01634281e167c025062.pdf",
		"text": "https://archive.orkl.eu/36342a14bb76782e4d44d01634281e167c025062.txt",
		"img": "https://archive.orkl.eu/36342a14bb76782e4d44d01634281e167c025062.jpg"
	}
}