ProblemYou want to audit who performs tasks associated with backup and restore on a Windows XP system. SolutionUsing Group PolicyThrough Group Policy, you can choose to audit any action related to back up and restore. The GPO setting, for those in a domain environment, is found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, and is called "Audit: Audit the use of Backup and Restore privilege." This setting is also available through Local Security Policy (you can access this through the Administrative Tools applet within Control Panel) in the Local Policies/Security Options tree. DiscussionThis GPO setting tells Windows whether to write an event in the Security event log when users exercise Backup and Restore privileges, but only when the Audit privilege use policy GPO is enabled. It also generates an audit event for every file that is backed up or restored. All audited events are caused by actions stemming from the execution of NTBACKUP for example, creating an ASR backup will trigger a log entry, whereas doing an xcopy backup will not cause anything to be logged. See AlsoChapter 6 on Group Policy in Learning Windows Server 2003 (O'Reilly) |