2003 SP1 – "new" feature… Per User Auditing

Ill post a few blogs on some new SP1 items which arent detailed in http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx


There is a "new" feature in 2003 SP1 for Per User Auditing. It’s not really new, it’s been in there since RTM but there was no real easy way to get at it via a GUI to configure it. There is now a command line tool called auditusr.exe.


Auditusr.exe was included in XPSp2 as well but no one really documented it.


It modifies the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System with the specified SID and REG_BINARY mask representing the inclusion \ exclusion.


A few ground rules:


Administrator can be included but not excluded.

Built in and Security groups can't be included\excluded

If a user is in both the included and excluded group it is included.



Sample use:


C:\WINDOWS\system32>auditusr.exe /es  SpatsDomain\User1:"Object Access"


You set the following categories:


System Event


Object Access

Privilege Use

Detailed Tracking

Policy Change

Account Management

Directory Service Access

Account Logon


You can dump out the current settings via the /e switch


Auditusr 1.0

SPATSDOMAIN\User1:exclude:success:Object Access

SPATSDOMAIN\User2:exclude:failure:Object Access

SPATSDOMAIN\Test2:exclude:success:Object Access



Check  auditusr.exe /? For more info.


PS: Since we edit the LSA keys I have found a reboot to be necessary to enforce the new settiungs. I am sure that Eric Fitzgerald can correct me if I am wrong on any points here.




Comments (4)

  1. The POSIX subsystem (from the Microsoft product Windows services for unix, version 3.5) seems to crash when SP1 is installed.
    <br>I should probably report this through proper channel, but just happened to read your blog first 🙂

  2. Troy says:

    Thanks for the information. It would be nice if Microsoft would provide a little more info on these hidden tools.

  3. SpatDSG says:

    You mean more info on this specific tool or more info on obscure tools which dont seem to have documentation any where?


  4. Z says:

    Sure it is documented!!!!

    Security Monitoring and Attack Detection


    Oh wait, the documentation misspelled the command. And oh yes, the examples that they posted don’t work even if the command is spelled correctly.

    The joys of running windows

Skip to main content