Microsoft Knowledge Base Article 325898 contains the following summary:
This article describes how to set up and manage
operation-based auditing in Windows Server 2003 Enterprise Edition.
When you
use operation-based auditing,
you can audit operations on files and folders.
This means that you can audit certain operations (for example,
Write
operations) and audit access to objects.
Operation-based auditing is set up
when you turn on object access auditing on a file or folder.
Object access
events and operations such as Write operations are
recorded in the security
log.
Operation-based audits are categorized as object audits,
and
they are
logged as an event ID 567 in the security
log.
These audits are
generated the first time an operation is performed.
You can set up only files
and folders to generate operation audits.
