Enable auditing to keep an eye on users in Windows NT

Read these tips for getting the most out of the network auditing feature.

Administrators know that users can be very unpredictable, and some even have a tendency to start experimenting with your network. For example, a user might get bored and start browsing around your network for "useful" information. It's hard to anticipate who's going to try accessing your confidential data.

If you want to see who's successfully or unsuccessfully accessed data, turn on auditing. Auditing is a useful feature that allows you to see exactly what's going on with your documents.

Before you can monitor access to your files, you have to enable the feature. Follow these steps:

  1. Open User Manager by going to Start | Programs | Administrative Tools | User Manager.
  2. Select Policies | Audit.
  3. Choose Audit These Events.
  4. Under the File And Object Access option, select either the Success or Failure check box, depending on the events you want to audit.
  5. Close all dialog boxes.

You can turn on auditing for several events, but for now, let's focus on auditing access to files and folders.

Once you've activated auditing, you must specify the events on each individual file and folder. You can do this only for files and folders located on NTFS volumes.

Right-click a file or folder, and select Properties. On the Security tab, click Auditing. In the Event To Audit section, click Add, and select the users or a group of users. If you want to enable auditing for all users, select Everyone.

While auditing is a helpful practice, don't get carried away. When you log more files and enable more logging options, you risk performance issues. And if you audit too much, you'll easily get lost in the log files, and you might miss important events.

So it's a good idea to only log important files or the most important events. For instance, if you want to find out who's deleting files, only monitor successful file deletes.

Editor's Picks

Free Newsletters, In your Inbox