Ill post a few blogs on some new SP1 items which arent detailed in http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx
There is a “new” feature in 2003 SP1 for Per User Auditing. It’s not really new, it’s been in there since RTM but there was no real easy way to get at it via a GUI to configure it. There is now a command line tool called auditusr.exe.
Auditusr.exe was included in XPSp2 as well but no one really documented it.
It modifies the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System with the specified SID and REG_BINARY mask representing the inclusion \ exclusion.
A few ground rules:
Administrator can be included but not excluded.
Built in and Security groups can’t be included\excluded
If a user is in both the included and excluded group it is included.
C:\WINDOWS\system32>auditusr.exe /es SpatsDomain\User1:”Object Access”
You set the following categories:
Directory Service Access
You can dump out the current settings via the /e switch
Check auditusr.exe /? For more info.
PS: Since we edit the LSA keys I have found a reboot to be necessary to enforce the new settiungs. I am sure that Eric Fitzgerald can correct me if I am wrong on any points here.