Recipe 19.13. Auditing Backup and Restore Actions


You want to audit who performs tasks associated with backup and restore on a Windows XP system.


Using Group Policy

Through Group Policy, you can choose to audit any action related to back up and restore. The GPO setting, for those in a domain environment, is found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, and is called "Audit: Audit the use of Backup and Restore privilege." This setting is also available through Local Security Policy (you can access this through the Administrative Tools applet within Control Panel) in the Local Policies/Security Options tree.


This GPO setting tells Windows whether to write an event in the Security event log when users exercise Backup and Restore privileges, but only when the Audit privilege use policy GPO is enabled. It also generates an audit event for every file that is backed up or restored. All audited events are caused by actions stemming from the execution of NTBACKUP for example, creating an ASR backup will trigger a log entry, whereas doing an xcopy backup will not cause anything to be logged.

See Also

Chapter 6 on Group Policy in Learning Windows Server 2003 (O'Reilly)

Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: