Audit policies are set up computer by computer. You must be able to log on to the computer before setting
the policy. The audit policy is defined in User Manager for Domains, selecting Audit on the Policies
menu gives you the following events that you can tick for success or failure:
- Logon and Logoff
- File and Object Access - a directory, file or printer.
- Use of User Rights
- User and Group Management - modifications to accounts.
- Security Policy Changes - changes made to user rights, audit or trust relationships.
- Restart, Shutdown and System - includes effects on the security log.
- Process Tracking
To audit files and directories you select the Security tab in the Properties of the file or directory.
If you click on Auditing you can audit on the following events:
- Change Permissions
- Take Ownership
You can select whether to have auditing on files in subdirectories as well, or just the
files in the given directory. Auditing the Everyone Group is a good idea as you can track anyone who
Auditing a printer is also done by selecting the Security tab in the Properties of the printer and
clicking Auditing. The events that can be audited for the selected group are:
- Full Control - changes to job settings, moving documents etc.
- Delete - deletion of print jobs
- Change Permissions
- Take Ownership
The Event Viewer allows you to view the following logs:
- System Log - Windows NT errors, warnings and information set by NT itself.
- Security Log - results of your audit policy.
- Application Log - Program errors, warnings or information, set by the programmer.
In order to view the Security log you need to select Event Viewer in Administrative Tools. Once you
have done this, select the Log menu and pick Security. The key symbol indicates a success,
a lock symbol indicates a failure and the category tells you the type of event defined in your audit policy.
You can look at the security log on another computer by selecting the computer in the log menu.
In Event Viewer, selecting Filter Events in the View menu allows you to decide which events
to look at, based on time, type, source, category, user, computer, ID or description.
Archiving the Event logs is a good way to track trends. You save the log by clicking on Save As
in the log menu of Event Viewer. In the Event Log Settings log files (*.evt files) can be set
to between 64K and 4,194,240K (default is 512K). You can also decide how to overwrite events, manually,
as needed or of a certain age.
Windows NT Diagnostics (Winmsd.exe) in Administrative Tools allows you to look at Services,
Resources, Environment, Network, Version, System, Display, Drives and Memory, although they
are only a read only display.
Performance Monitor is used to gauge a computer's performance.
It is launched from the Administrative Tools menu and it manages the following objects:
- Paging File
The counter Processor: % Processor Time shows processor activity. Consistent usage above 80%
indicates that the processor is a bottleneck.
The counter Processor: Interrupts/Sec measures the rate of service requests from I/O devices. If this
increases without a corresponding increase in system activity, then there may be a hardware fault.
The counter System: Processor Queue Length shows the number of threads. If the queue length is consistently
greater than 2, there may be a processor over load.
Sustained hard page faults indicates that there is a memory bottleneck. This is because data
that a program needs is not in physical memory and has to be retrieved from the page file. The
counters for memory are Pages/sec, Available bytes, Committed Bytes
and Pool Nonpaged Bytes.
Pressing Ctrl & H highlights the graph line.
Network Monitor is installed via the Network program and is accessed from the Administrative Tools menu.
It is a cut down version from the one you can obtain from SMS. It only captures frames sent to and from the
computer. The four main sections are the Graph, the Session statistics, the Total statistics and the station statistics.