auditpol.exe

---

Account Logon

– Audit Kerberos Service Ticket Operations

auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable

– Audit Kerberos Authentication Service

auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

---

Account Management

– Audit Computer Account Management

auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable

– Audit other Account Management Events

auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable

– Audit Security Group Management

auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

– Audit User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

---

Detailled Tracking

– Audit DPAPI activity

auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable

– Audit PNP Activity

auditpol /set /subcategory:"Plug and Play Events" /success:enable /failure:enable

– Audit Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

---

DS Access

– Audit Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /failure:enable

– Audit Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

---

Logon / logoff

– Audit Account Lockout

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

– Audit Special Logon

auditpol /set /subcategory:"Special Logon" /success:enable

– Audit Logoff

auditpol /set /subcategory:"logoff" /success:enable /failure:enable

– Audit Logon

auditpol /set /subcategory:"logon" /success:enable /failure:enable

---

Object Access

– Audit Removable Storage

auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable

---

Policy Change

– Audit Policy Change

auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable

– Audit Authentication Policy Change

auditpol /set /subcategory:"Authentication Policy Change" /success:enable

Privilege use

Audit Sensitive Privilege Use

auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable

System

Audit IPsec Driver

auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable

Audit Other System Events

auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable

Audit Security State Change

auditpol /set /subcategory:"Security State Change" /success:enable

Audit Security System Extension

auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

Audit System Integrity

auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable