I am setting up some detailed logging (http://support.microsoft.com/default.aspx?scid=kb;EN-US;921469)and wanted to be sure that I had the right idea on a couple of options.Thesubcategories listed in 'auditpol /get /category:"Account logon","Account Management","DS Access"' would only be effective if set on the domain controller, correct? I'm pretty sure about "Account logon" but I wasn't sure if "Account Management" would also pick up on local account management. Same with "DS Access"... I was curious as to if the local machine would somehow know when youtrigger something that falls under "DS Access".Of the other categories (System, Logon/Logoff, Object Access, Privilege Use, Detailed Tracking andPolicy Change) which are only effective when set to audit on the domain controller?Basically, I am trying to figure out what I need on my DC and what I need on my Vista boxes for everything to be clean and efficient.TIA!

Hi, Q: The subcategories listed in 'auditpol /get /category:"Account logon","Account Management","DS Access"' would only be effective if set on the domain controller, correct? A: No. Based on my research, it seems that all the subcategories that you mentioned can be enable on both the domain controller and standard-alone server. Both "Account logon" and "Account Management" can pick up on the local account logon and local account management event. "DS Access" is only applied to Active Directory and it can pick up all the DS access event on the DC. By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it remains undefined for workstations and servers where it has no meaning. Please note: all the audit security events will be record and view with Event View. Event View -> Windows Logs -> Security. Q: Of the other categories (System, Logon/Logoff, Object Access, Privilege Use, Detailed Tracking and Policy Change) which are only effective when set to audit on the domain controller? A: Based on the research, these categories can also be effective on both domain controller and member server and standard-alone server. Hope it helps.Your potential. Our passion.