Microsoft Knowledge Base Article 314955 contains the following summary:
This step-by-step article describes how to use Windows 2000 auditing to track user activities and system-wide events
in Active Directory.
When you use Windows 2000 auditing, you can track both user activities and Windows 2000 activities, which are called events, on a computer. When you use auditing, you can specify which events are written to the Security log. For example, the Security log can maintain a record of both valid and invalid logon attempts and events that relate to creating, opening, or deleting files or other objects. An audit entry in the Security log contains the following information:
|•||The action that was performed.|
|•||The user who performed the action.|
|•||The success or failure of the event and the time that the event occurred.|
When you audit Active Directory events, Windows 2000 writes an event to the Security log on the domain controller. For example, if a user tries to log on to the domain using a domain user account and the logon attempt is unsuccessful, the event is recorded on the domain controller and not on the computer on which the logon attempt was made. This behavior occurs because it is the domain controller that tried to authenticate the logon attempt but could not do so.
Use Event Viewer to view events that Windows 2000 logs in the Security log. You can also archive log files to track trends over time, for example, if you want to determine the use of either printers or files, or if you want to verify the use of unauthorized resources.
To enable auditing of Active Directory objects:
|1.||Configure an audit policy setting for a domain controller.
When you configure an audit policy setting, you can audit objects but you cannot specify which object you want to audit.
|2.||Configure auditing for specific Active Directory objects.
After you specify the events to audit for files, folders, printers, and Active Directory objects, Windows 2000 tracks and logs these events.