Configuring selective auditing

If you are using identity and privilege management features, you can control audit and monitoring service by using Access Manager to configure role definitions with different audit requirements, and then assigning those role definitions to different sets of Active Directory users. For more information about using role definitions to control auditing, see Defining custom roles with specific rights.

If you are using audit and monitoring service without also using identity and privilege management features, you can use group policies to control which Windows users to audit, or to capture activity for all Windows users.

To control audit and monitoring service using group policies:

  1. Open the Group Policy Management console.
  2. Expand the forest and domains to select the Default Domain Policy object.
  3. Right-click, then click Edit to open Group Policy Management Editor.
  4. Expand Computer Configuration > Policies, then select Centrify DirectAudit Settings.
  5. Select the Audited user list to identify specific users to audit.

    When you enable this group policy, only the users you specify in the policy are audited. If this policy is not configured, all users are audited.

  6. Select the Non-audited user list to identify specific users that should not be audited.

    When you enable this group policy, only the users you specify are not audited. If this policy is not configured, all users are audited. If you enable both the Audited user list and the Non-audited user list policies, the users you include in the Non-audited user list take precedence over the Audited user list.

The following table details the effect of configuring and enabling the Audited user list and Non-audited user list group policies, and including or not including Windows users in those lists.

Non-audited user list Audited user list How the setting affects auditing

Not configured

Not configured

No users are defined for either policy, so all users accessing audited computers are audited.

Not configured

Enabled

Only the users you specify in the Audited user list policy are audited.

If no users are specified when the policy is enabled, no users are audited.

Not configured

Enabled

Only AUL is enabled, but user is not listed in it.

Enabled

Not configured

If no users are specified in the Non-audited user list and the policy is enabled, no users are exempt from auditing. All users are audited.

Enabled

Enabled

If both policies are enabled, the non-audited user takes precedence over the audited list of users.

If a user is specified in the audited list, that user is explicitly audited.

If a user is specified in the non-audited list, that user is explicitly not audited.

If the same user is specified in both lists, the user is not audited because the non-audited user takes precedence.

If no users are specified for either policy, all users are audited because the non-audited user takes precedence.