Ill post a few blogs on some new SP1 items which arent detailed in http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx
There is a "new" feature in 2003 SP1 for Per User Auditing. It’s not really new, it’s been in there since RTM but there was no real easy way to get at it via a GUI to configure it. There is now a command line tool called auditusr.exe.
Auditusr.exe was included in XPSp2 as well but no one really documented it.
It modifies the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System with the specified SID and REG_BINARY mask representing the inclusion \ exclusion.
A few ground rules:
Administrator can be included but not excluded.
Built in and Security groups can't be included\excluded
If a user is in both the included and excluded group it is included.
C:\WINDOWS\system32>auditusr.exe /es SpatsDomain\User1:"Object Access"
You set the following categories:
Directory Service Access
You can dump out the current settings via the /e switch
Check auditusr.exe /? For more info.
PS: Since we edit the LSA keys I have found a reboot to be necessary to enforce the new settiungs. I am sure that Eric Fitzgerald can correct me if I am wrong on any points here.
Sure it is documented!!!!
Security Monitoring and Attack Detection
Oh wait, the documentation misspelled the command. And oh yes, the examples that they posted don't work even if the command is spelled correctly.
The joys of running windows