Normally, all the audit functions are system-wide; there is not much granularity; in systems with a number of users it's hard to perform detailed audit, since there will be too many events logged. Logs can become quite resource- and time-consumed, if configured poorly.
However, starting from Windows Server 2003 SP1 a new function is available, named "Per-User Selective Audit". It means that you can override the settings for system-wide audit for a given user, thus preventing unnecessary events from being recorded.
The practical usage of this option is watching the actions of a given user you are suspicious about.
To configure and learn more about this function, run the following command in a command-line session:
auditusr /?
However, starting from Windows Server 2003 SP1 a new function is available, named "Per-User Selective Audit". It means that you can override the settings for system-wide audit for a given user, thus preventing unnecessary events from being recorded.
The practical usage of this option is watching the actions of a given user you are suspicious about.
To configure and learn more about this function, run the following command in a command-line session:
auditusr /?
