Check the status of audit settings by choosing Audit on the Policies menu in the User Manager for Domains. The Audit Policy dialog box appears. The settings in this box reflect the minimum settings that are appropriate for auditing in most environments. Keep in mind that auditing too many events can affect a system's performance.
Protect auditing and security logs from other administrators who might change or delete them. You can grant only the Administrators group the ability to access the logs. To restrict access to only one user (the "auditor"), remove all users except the auditor from the Administrators group. This means all of your other administrators should be members of a management group that does not have the "Manage auditing and security log" right.
Check for failed logons in the Event Viewer. You can enable security auditing for logon attempts, file and object access, use of user rights, account manage- ment, security policy changes, restart and shutdown, and process tracking.
Internet FAQ top