To enable local Windows security auditing:
Log on to Windows 2000 with an account that has Administrator rights. If you
want to grant other users the rights to set auditing, see the "How to Enable
Another Account to Configure Auditing" section in the "Reference" section of
this article.
Ensure that the Group Policy snap-in is installed; if it is not installed,
follow the directions in the "How to Install the Group Policy Snap-in"
section in the "References" section of this article to install it.
Click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools.
Double-click Local Security Policy to start the Local Security Settings MMC
snap-in.
Double-click Local Policies to expand it, and then double-click Audit Policy.
In the right pane, double-click the policy that you want to enable or
disable.
Click the Success (An audited security access attempt that succeeds) and
Fail (audited security access attempt that fails) check boxes for logging on
and logging off. For example, with this setting, a user's successful attempt
to log on to the system is logged as a Success Audit event. If a user tries
to access a network drive and fails, the attempt is logged as a Failure Audit
event.
If you are setting auditing for a Web server that is running Microsoft
Internet Information Services (IIS) version 5.0, see the "Recommendations for
Auditing on a Web Server That Is Running Windows 2000 and Internet
Information Services 5.0" section in the "References" section of this article
for a list of suggested audits.
ref. Microsoft PSS ID 300549
good luck
