In tip 1915, we determined the Windows NT 4.0 Audit Policy.

Windows 2000 stores the Audit Policy at:

HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv

Administrators do no have access to this key, but the SYSTEM account does.

Use the Task Scheduler, running in the SYSTEM context, tip 3215, to export the Audit Policy settings to a <Folder_Path>\FileName.reg file:

AT \[\\ComputerName\] HH:MM CMD /c "regedit /a <Folder_Path\FileName.reg> HKEY_LOCAL_MACHINE\Security\Policy\Poladtev"

The <Folder_Path\FileName.reg> file contains an entry similar to:

\[HKEY_LOCAL_MACHINE\Security\Policy\Poladtev\] @=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00, 00,FF,00,00,00,GG,00,00,00,HH,00,00,00,II,00,00,00,ii,00,00,00

where:

ii      Ignore these values.                              ZZ      01 indicates auditing is enabled, 00 means disabled.                              AA	Audit System Events                              BB	Audit Logon Events                              CC	Audit Object Access                              DD	Audit Privilege Use                              EE	Audit Process Tracking                              FF	Audit Policy Change                              GG	Audit Account Management                              HH	Audit Directory Service Access                              II	Audit Account Logon Events                              If the value of the AA / II letter is 01, success auditing is enabled.                              If the value of the AA / II letter is 02, failure auditing is enabled.                              If the value of the AA / II letter is 03, success and failure auditing is enabled.