Welcome to MSDN Blogs Sign in | Join | Help

2003 SP1 - "new" feature... Per User Auditing

Ill post a few blogs on some new SP1 items which arent detailed in http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx

 

There is a "new" feature in 2003 SP1 for Per User Auditing. It’s not really new, it’s been in there since RTM but there was no real easy way to get at it via a GUI to configure it. There is now a command line tool called auditusr.exe.

 

Auditusr.exe was included in XPSp2 as well but no one really documented it.

 

It modifies the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System with the specified SID and REG_BINARY mask representing the inclusion \ exclusion.

 

A few ground rules:

 

Administrator can be included but not excluded.

Built in and Security groups can't be included\excluded

If a user is in both the included and excluded group it is included.

 

 

Sample use:

 

C:\WINDOWS\system32>auditusr.exe /es  SpatsDomain\User1:"Object Access"

 

You set the following categories:

 

System Event

Logon/Logoff

Object Access

Privilege Use

Detailed Tracking

Policy Change

Account Management

Directory Service Access

Account Logon

 

You can dump out the current settings via the /e switch

 

Auditusr 1.0

SPATSDOMAIN\User1:exclude:success:Object Access

SPATSDOMAIN\User2:exclude:failure:Object Access

SPATSDOMAIN\Test2:exclude:success:Object Access

 

 

Check  auditusr.exe /? For more info.

 

PS: Since we edit the LSA keys I have found a reboot to be necessary to enforce the new settiungs. I am sure that Eric Fitzgerald can correct me if I am wrong on any points here.

 

Spat

 

Published Friday, April 01, 2005 10:36 AM by SpatDSG
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

Friday, April 01, 2005 10:59 AM by A random blog reader

# re: 2003 SP1 - "new" feature... Per User Auditing

The POSIX subsystem (from the Microsoft product Windows services for unix, version 3.5) seems to crash when SP1 is installed. <br> <br>I should probably report this through proper channel, but just happened to read your blog first :-) <br> <br>
Thursday, December 22, 2005 1:34 PM by Troy

# re: 2003 SP1 - "new" feature... Per User Auditing

Thanks for the information. It would be nice if Microsoft would provide a little more info on these hidden tools.
Tuesday, January 03, 2006 3:40 PM by SpatDSG

# re: 2003 SP1 - "new" feature... Per User Auditing

You mean more info on this specific tool or more info on obscure tools which dont seem to have documentation any where?

spat
Tuesday, March 13, 2007 8:08 PM by Z

# re: 2003 SP1 - "new" feature... Per User Auditing

Sure it is documented!!!!

Security Monitoring and Attack Detection

http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/attackdetection.mspx

Oh wait, the documentation misspelled the command. And oh yes, the examples that they posted don't work even if the command is spelled correctly.

The joys of running windows

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker