Create a GPO for advanced auditing in Windows Server 2012 R2:

Let’s go through a very simple guide on how to create a Group Policy Object (GPO) for advanced auditing in Server 2012 R2. Before we start, take a note that auditing logs report a variety of activities in your enterprise to the Windows Security Log. You can then monitor these auditing logs to identify issues that warrant further investigation.

Auditing can log successful activities as well, to provide documentation of changes. It can also log failed and potentially malicious attempts to access enterprise resources. When configuring auditing, you will specify audit settings, enable an audit policy, and then monitor events in the security logs.

So now let’s get started…

Please be inform that for this demo I’m using my existing small infrastructure which is consist of DC01.comsys.local, SVR01.comsys.local and Surface01.comsys.local (Windows 8 client )

1 – On your Domain Server1 (DC01), please create a new GPO, open Group Policy Management, and then right click Comsystem File Server OU (This OU contain my File Server which is SVR01.comsys.local), and click Create a GPO in this domain and Link it here…


2 – In the New GPO box, type Comsys File Audit, and then press Enter…


3 – Next, right click Comsys File Audit, and click Edit


4 – Next, in the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration, expand Audit Policies, and then click Object Access.


5 – Next, double-click Audit Detailed File Share, in the Properties dialog box, select the Configure the following events check box, then select both Success and Failure check boxes, and then click OK…


6 – You may choose Audit Removable Storage and do the same step like above step…


7 – Next, log in to your Client PC, in my case is my Surface01 PC.. log in as any user…


8 – On the Windows 8 desktop, open Run and type \\svr01\IT notes, and then press Enter… (please take note that in my SVR01.comsys.local, I already have my existing sharing folder call IT Notes for this demo)


9 -Next, open IT Notes folder and open the existing file which is MS Office 365.txt, then close it back…


10 – Next, log in to SVR01 server, and open Event Viewer, in Event Viewer, double-click Windows Logs, and then click Security.

Double-click one of the log entries with a Source of Microsoft Windows security auditing, and a Task Category of Detailed File Share.

Click the Details tab, and note the access that was performed.