2003 SP1 - "new" feature... Per User Auditing

Ill post a few blogs on some new SP1 items which arent detailed in https://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx

 

There is a "new" feature in 2003 SP1 for Per User Auditing. It’s not really new, it’s been in there since RTM but there was no real easy way to get at it via a GUI to configure it. There is now a command line tool called auditusr.exe.

 

Auditusr.exe was included in XPSp2 as well but no one really documented it.

 

It modifies the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System with the specified SID and REG_BINARY mask representing the inclusion \ exclusion.

 

A few ground rules:

 

Administrator can be included but not excluded.

Built in and Security groups can't be included\excluded

If a user is in both the included and excluded group it is included.

 

 

Sample use:

 

C:\WINDOWS\system32>auditusr.exe /es  SpatsDomain\User1:"Object Access"

 

You set the following categories:

 

System Event

Logon/Logoff

Object Access

Privilege Use

Detailed Tracking

Policy Change

Account Management

Directory Service Access

Account Logon

 

You can dump out the current settings via the /e switch

 

Auditusr 1.0

SPATSDOMAIN\User1:exclude:success:Object Access

SPATSDOMAIN\User2:exclude:failure:Object Access

SPATSDOMAIN\Test2:exclude:success:Object Access

 

 

Check  auditusr.exe /? For more info.

 

PS: Since we edit the LSA keys I have found a reboot to be necessary to enforce the new settiungs. I am sure that Eric Fitzgerald can correct me if I am wrong on any points here.

 

Spat