In this article we are going to show you how to create Expression based audit Policy in windows server 2016, as its name suggest global object access auditing allow Administrator to set file and registry auditing configuration per computer, rather than at the file system level. This makes it much easier to track the settings across server on your network, rather than having to set and inspect SACLs at the file level.
Creating Expression based audit Policy
Windows server 2016 enable expression-based audit policies that enable you to audit only the specific actions and users of interest. You can build expression-based audit policies for either file system or the registry by using global object access auditing. To enable an expression based audit of a file system folder, for example follow these steps.
1. Log on to your domain as a member of the local Administrators group and start the Group Policy Management Console (GPMC).
2. In the console tree, navigate to Domains\<Your_ Domain>\Group Policy Objects\Default domain Controller Policy, where <your_Domain> is the name of your domain, Right click Default Domain Controllers Policy and click edit.
3. In the Group Policy Management Editor, navigate to the Computer Configuration\Policy\Windo-ws Setting\Security Setting\Advanced Audit Policy Configuration\System Audit Policies container.
4. Double-click Object Access, then double-click Audit Registry. Select the Configure the following audit events check box, select the Success and Failure check boxes, and click OK.
5. Double-click Global Object Access Policies, then double-click Registry. Select the Define this policy setting check box and click Configure.
6. Select define this policy setting in the file system properties dialog box and then click configure to open the advanced security settings foe global file SACL dialog box.
7. Click add to open the auditing entry for global SACL dialog box.
8. Click select a principal to open the familiar select user, computer, services account, or group dialog box. Add groups, computers, or users to audit and select the type of audit from the list and then select the permissions to audit.
9. Use the add condition to limit the scope section to limit the scope of this audit, in which I’m building a condition that will tell me if any domain admins who are not also enterprise admins take ownership of a file or any ownership.
10. Click OK to add the audit expression.
11. Click apply to continue adding audit entries, or click Ok to complete the audit entry and complete the configuration of the expression based audit policy.
12. Click OK to close the File system Properties dialog box and Close the Group Policy Management Editor and Group Policy Management.
When you configure file or registry Global Object Audit Access in Windows Server 2016, instead of the simple success and failure options presented for most audit settings, you’ll notice there’s just a Configure button that takes you to a dialog to set audit configuration in exactly the same way as from the file system.