Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
Click Start, click All Programs, click Administrative Tools, and select Local Security Policy.
In the tree pane, double-click on Local Policies, and double-click on Audit Policy.
In the tasks pane, double-click on Audit Object Access.
When the Audit Object Access Properties window opens, check the Failure check box, and click OK, as shown in Figure 1.
Figure 1. Enabling failure audit for object access.
Close the Local Security Policy window.
Click Start and click on Computer.
Browse to the drive and folder on which you will enable auditing; for this example, use the c:\HumanResources folder.
Right-click the folder and select Properties.
Select the Security tab and click the Advanced button near the bottom of the window.
Select the Auditing tab and click the Edit button to enable audit changes.
this particular example, we want to log failed attempts to access the
folder, so we will use the Everyone group and enable all failure
audits. Click the Add button in the Advanced Security Settings window
for the HumanResources folder.
When the Select User, Computer, Service Account, or Group window opens, type in Everyone and click OK.
the Auditing Entry window for everyone, check the Failed check box next
to Full Control, check the box at the bottom of the window to apply the
Audit policy to all objects contained within the HumanResources folder,
and click OK, as shown in Figure 2.
Figure 2. Configuring an audit entry for the HumanResources NTFS folder.
In the Advanced Security Settings window, check the Replace All Existing Inheritable Auditing Entries check box, and click OK.
OK again to close the Advanced Security Settings window, and then click
OK one more time to close the property pages of the HumanResources