Monitor your computer and documents using the Group Policy

Group Policy allows you to audit or monitor the changes on your Windows computer. Using the Group Policy you can monitor who has logged on and when, who has opened a document, who has  created a new user account or changed a security policy.

To do so, type on secpol.msc in start search and hit Enter to open Local Security Policy.

Under Security settings in the left pane, expand Local Policies and then select Audit Policy.

As you can see, you can audit:

  • Account logon events: Account logon events are generated whenever a computer validates the credentials of an account for which it is authoritative.
  • Account management: Lets you see if someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group
  • Directory service access: Monitor this to see when someone accesses an Active Directory object that has its own system access control list (SACL).
  • Logon events: Log off events are generated whenever a logged on user account’s logon session is terminated.
  • Object access: Lets you see when someone has used a file, folder, printer, registry keys or other object.
  • Policy change: Audits changes to local security policies.
  • Privilege use: Monitor this to see when someone performs a task on the computer that they have permission to perform
  • Process tracking: Track events such as program activation or a process exiting.
  • System events: Lets you monitor  and see when someone has shut down or restarted the computer, or when a process or program tries to do something that it doesn’t have permission to do.

Double-click the one you wish to monitor and select the Success option. Click Apply. You can get more information on each if you click on the Explain tab.

To enable monitoring of your documents, right-click the file and click open Properties.

Select Security tab > Advanced > Auditing tab.

Click Continue to open the Advanced Security Settings box and click Add.

Now, in the Enter the object name to select box, type the name of the user or group whose actions you want to keep track of, and then click OK in each of the four open dialog boxes.

Select the check box for any action you want to audit, and then click OK. To learn more about what you can audit and the auditable actions for files, visit Microsoft.

To view the Audit Logs, type Event Viewer in start search and hit Enter.

In the left pane, double-click Windows Logs, and then click Security. Next double-click an event to see view the log details.

For more information about Security Policy and Group Policy, go here.  If you need any help, you can always visit TWC Forums.

Posted by on , in Category Windows with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

One Comment

  1. Stephen Schimmel

    Does anybody actually use native Windows auditing? I’m curious to know how you actually view the audit data—when we tried this there was just too much data for us to sort through, so I didn’t find this method helpful. Eventually had to look for a tool and found a stack of freeware tools on that do this for us—we’re using the freeware versions of netwrix group policy change reporter, logon reporter, active directory change reporter, event log manager, and password expiration notifier. Recommended.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + 1 =