One of the changes in Windows 2008 was the audit policy configuration. In the past we had a limited granularity:
In Windows 2008 we had a lot of extra categories, but these had to be configured using the command-line tool “auditpol.exe”:
While it was nice, it always was a pain in the ass to get configured, if you wanted to deploy it in mass, you had to go fiddle around with scripts and scheduled tasks. Just like the Microsoft Enterprise Client security baseline did. It seems starting from Windows 2008 R2 and Windows 7 you can now configure this the “regular” graphical way. Both the Local Security Policy client and the Group Policy Management Console are now capable of displaying and configuration these settings:
For some extra information: http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx
Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.