Group Policy allows you to audit or monitor the changes on your Windows computer. Using the Group Policy you can monitor who has logged on and when, who has opened a document, who has created a new user account or changed a security policy.
To do so, type on secpol.msc in start search and hit Enter to open Local Security Policy.
Under Security settings in the left pane, expand Local Policies and then select Audit Policy.
As you can see, you can audit:
- Account logon events: Account logon events are generated whenever a computer validates the credentials of an account for which it is authoritative.
- Account management: Lets you see if someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group
- Directory service access: Monitor this to see when someone accesses an Active Directory object that has its own system access control list (SACL).
- Logon events: Log off events are generated whenever a logged on user account’s logon session is terminated.
- Object access: Lets you see when someone has used a file, folder, printer, registry keys or other object.
- Policy change: Audits changes to local security policies.
- Privilege use: Monitor this to see when someone performs a task on the computer that they have permission to perform
- Process tracking: Track events such as program activation or a process exiting.
- System events: Lets you monitor and see when someone has shut down or restarted the computer, or when a process or program tries to do something that it doesn’t have permission to do.
Double-click the one you wish to monitor and select the Success option. Click Apply. You can get more information on each if you click on the Explain tab.
To enable monitoring of your documents, right-click the file and click open Properties.
Select Security tab > Advanced > Auditing tab.
Click Continue to open the Advanced Security Settings box and click Add.
Now, in the Enter the object name to select box, type the name of the user or group whose actions you want to keep track of, and then click OK in each of the four open dialog boxes.
Select the check box for any action you want to audit, and then click OK. To learn more about what you can audit and the auditable actions for files, visit Microsoft.
To view the Audit Logs, type Event Viewer in start search and hit Enter.
In the left pane, double-click Windows Logs, and then click Security. Next double-click an event to see view the log details.