You can configure auditing of account logon events using Group Policy. To
configure an audit policy setting for a domain controller:
1.. Click Start, point to Programs, point to Administrative Tools, and
then click Active Directory Users and Computers.
2.. On the View menu, click Advanced Features.
3.. Right-click Domain Controllers, and then click Properties.
4.. Click the Group Policy tab, click Default Domain Controller Policy,
and then click Edit.
5.. Click Computer Configuration, double-click Windows Settings,
double-click Security Settings, double-click Local Policies, and then
double-click Audit Policy.
6.. In the right pane, right-click Audit Directory Services Access, and
then click Properties.
7.. Click Define These Policy Settings, and then click to select one or
both of the following check boxes:
a.. Success: Click to select this check box to audit successful attempts
for the event category.
b.. Failure: Click to select this check box to audit failed attempts for
the event category.
8.. Right-click any other event category that you want to audit, and then
click Properties.
9.. Click OK.
10.. Because the changes that you make to your computer's audit policy
setting take effect only when the policy setting is propagated or applied to
your computer, complete either of the following steps to initiate policy
propagation:
a.. Type gpupdate /Target:computer at the command prompt, and then press
ENTER.
b.. Wait for automatic policy propagation that occurs at regular
intervals that you can configure. By default, policy propagation occurs
every five minutes.
11.. Open the Security log to view logged events.
Note If you are either a domain or an enterprise administrator, you can
enable security auditing for workstations, member servers, and domain
controllers remotely.
http://support.microsoft.com/default.aspx?kbid=814595