Q: In the Windows audit policy, an administrator can specify whether to log the success and/or failure events of different event categories (e.g., object access, logon/logoff). Does Windows provide a mechanism to define this audit policy more granularly, such as on a per-user basis? I want to specify an audit policy that logs only the failure logon/logoff events of the Administrator account. Currently, the most granular policy I can specify is to log the logon/logoff failures of all the accounts in the domain.
A: In Windows XP SP2 and Windows Server 2003, Microsoft introduced per-user auditing, which provides the functionality you’re looking for. Per user-auditing is also supported in Windows Server 2008 and Windows Vista.
Per-user auditing lets an administrator define exceptions to the Windows audit policy (i.e., the audit policy you define in the Group Policy Object—GPO—settings) on a per-user basis. However, exceptions can’t be defined for the Administrator account or for members of the Administrators group. In fact, exceptions can’t be defined for any groups—only for individual user accounts. . . .
