Create a GPO for advanced auditing in

Windows Server 2012 R2

August 20, 2013

Hi guyz

Today lets go through a very simple guide on how to create a Group Policy Object (GPO) for
advanced auditing in Server 2012 R2

Before we start, take a note that auditing logs report a variety of activities in your enterprise
to the Windows Security Log.

You can then monitor these auditing logs to identify issues that warrant further investigation.

Auditing can log successful activities as well, to provide documentation of changes.

It can also log failed and potentially malicious attempts to access enterprise resources.

When configuring auditing, you will specify audit settings, enable an audit policy, and then
monitor events in the security logs.

So now lets get started

** Please be inform that for this demo Im using my existing small infrastructure which is
consist of DC01.comsys.local, SVR01.comsys.local and Surface01.comsys.local (Windows 8
client )

1 On your Domain Server1 (DC01), please create a new GPO, open Group Policy
Management, and then right click Comsystem File Server OU (This OU contain my File Server
which is SVR01.comsys.local), and click Create a GPO in this domain and Link it here
2 In the New GPO box, type Comsys File Audit, and then press Enter

3 Next, right click Comsys File Audit, and click Edit

4 Next, in the Group Policy Management Editor, under Computer Configuration, expand
Policies, expand Windows Settings, expand Security Settings, expand Advanced Audit
Policy Configuration, expand Audit Policies, and then click Object Access.
5 Next, double-click Audit Detailed File Share, in the Properties dialog box, select the
Configure the following events check box, then select both Success and Failure check boxes,
and then click OK

6 You may choose Audit Removable Storage and do the same step like above step
7 Next, log in to your Client PC, in my case is my Surface01 PC.. log in as any user
8 On the Windows 8 desktop, open Run and type \\svr01\IT notes, and then press Enter
(please take note that in my SVR01.comsys.local, I already have my existing sharing folder call
IT Notes for this demo)

9 -Next, open IT Notes folder and open the existing file which is MS Office 365.txt, then close it
back
10 Next, log in to SVR01 server, and open Event Viewer, in Event Viewer, double-click
Windows Logs, and then click Security.

Double-click one of the log entries with a Source of Microsoft Windows security auditing, and
a Task Category of Detailed File Share.

Click the Details tab, and note the access that was performed.