When you view a system's audit policy through the Microsoft Management Console (MMC) Local Security Policy snap-in, you might notice two new audit categories that apply to domain controllers (DCs): Audit directory service access and Audit account logon events. The Audit directory service access category lets you track changes to Active Directory (AD) objects (e.g., users) down to the property level. For example, you can use this category to distinguish password resets from phone-number changes.

The Audit account logon events category name is confusingly similar to the Audit logon events category name. Window 2000's Audit logon events is the same as Windows NT's familiar Logon and Logoff audit category. The problem with Audit logon events and Logon and Logoff is that Win2K and NT record these events on the system on which the logon occurs. When a user logs on interactively at a workstation, Win2K and NT record the logon event in the local workstation's Security log—if you've turned on audit policy at the workstation. When a user connects to a server over the network (e.g., by using a drive mapping), Win2K and NT record the network logon on the server's Security log. As a result, logon and logoff activity events are scattered across every system in your network. Microsoft heard our complaints and added the Audit account logon events category, which tracks user authentication at centralized points: the DCs in your domain.