Enabling auditing on multiple machines using a GPO If you have a Windows 2000 network which uses Active Directory, you can enforce event log & auditing options network wide using a group policy. To do this: 1. Open up Active Directory Users and Computers from Administrative tools, then right click on your domain and select properties. Domain properties Now click on the Group policy tab, to bring up your networks group policy. A group policy allows you to enforce network wide policies, relating to security, which applications can be used etc. Amongst these are options for the event logs. Group policy 2. This dialog will lists all the group policies you have in place. Now select the main group policy, i.e. the one that applies to your entire domain and cannot be overridden, and click 'Edit'. The group policy will open up. Event log options in a group policy 3. Now go to the Computer Configuration > Windows Settings > Event log > Settings for Event Logs node. When you expand this node, you will have a number of options, which you can specify as regards to Event logs. Its important that you: 'Restrict guess access to security log'. You can assign other options as you see fit. Audit policy settings 4. Now go to the Security Settings > Audit Policy node. In this node you can specify on a network wide basis what events must be audited. It's important that you enable Success & failure of: Audit account logon events Audit logon events We recommend auditing other event categories too, although we suggest you audit failure only of process tracking and system events, in order to avoid a glut of events.