GartnerGroup recommends using third-party tools to overcome what the group perceives as a security weakness in NT. However, I don't believe NT's audit-logging capabilities are a problem. In fact, I haven't seen a more flexible and complete operating system (OS) audit component. The Security Reference Monitor, deep in the NT Executive, evaluates access to all objects, regardless of their type (to learn more about the Security Reference Monitor, see Mark Russinovich, "Windows NT Security, Part 1," May 1998 and "Windows NT Security, Part 2," June 1998). The Security Reference Monitor is the single point of control for all object access and the exercise of rights and privileges. The Security Log records events according to criteria the administrator sets. Getting information into the log is easy--the problem is getting the information back out in user-friendly, easy-to-interpret reports. The Event Viewer is not as flexible a report manager as administrators need. Moreover, in the distributed environment of an NT domain, activity is scattered among all member computers. NT has no native way to get a comprehensive view of network activity. Take, for instance, logon activity events. If you want to see all failed logons in your domain, you must look at the Security Log of every server and workstation. Per GartnerGroup's recommendation, you can use third-party tools that merge the scattered logs of a domain into one database and then provide specialized reports for analyzing categories of security-related activity. You can also use dumpel.exe from the resource kit to convert event logs on remote computers to text files for subsequent merging into an Access database.