Some users—using Windows 2000 and other servers—can cause the majority of an administrator’s
problems in terms of dealing with user incidents. Sometimes it is no fault of
the user, but rather due to problems with the user’s account, profile,
effective group policy settings, and so on. Other times, the user is at fault—using
the wrong password, incorrectly typing the account name, trying to log on
during unauthorized hours, or attempting access to resources for which they
have no authorization or need.

You can use auditing in these situations to help identify
events associated with specific users. You can then use that information for
counseling, remediation, or even termination if warranted.

The types of events you audit for a particular user depends
on the source of the problem. For example, you should audit logon events if the
user often has problems with the logon process or attempts logon during
unauthorized hours. You can track object access to determine when a user is
attempting access to a forbidden resource.

However you choose to set up auditing, keep in mind that
auditing can impose overhead on your servers, so audit only those types of
events you feel are warranted in the situation. Also make sure to archive the
event logs in case you need them later to justify any remediation plan.

Miss a tip?

Check out the Windows 2000 Server Archive,
and catch up on the most recent tips from this newsletter.

Want more Win2K tips
and tricks? Automatically
sign up for our free Windows 2000 Server newsletter
, delivered each