Audit policy change
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.
Default:
- Success on domain controllers.
- No auditing on member servers.
Configure this audit setting
You can configure this security setting under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.
| Policy change events | Description |
|---|---|
| 608 | A user right was assigned. |
| 609 | A user right was removed. |
| 610 | A trust relationship with another domain was created. |
| 611 | A trust relationship with another domain was removed. |
| 612 | An audit policy was changed. |
| 613 | An Internet Protocol security (IPSec) policy agent started. |
| 614 | An IPSec policy agent was disabled. |
| 615 | An IPSec policy agent changed. |
| 616 | An IPSec policy agent encountered a potentially serious failure. |
| 617 | A Kerberos policy changed. |
| 618 | Encrypted Data Recovery policy changed. |
| 620 | A trust relationship with another domain was modified. |
| 621 | System access was granted to an account. |
| 622 | System access was removed from an account. |
| 623 | Per user auditing policy was set for a user. |
| 625 | Per user audit policy was refreshed. |
| 768 | A collision was detected between a namespace element in one forest and a namespace element in another forest. Note When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'. |
| 769 | Trusted forest information was added. Note: This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName". |
| 770 | Trusted forest information was deleted. Note: This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName". |
| 771 | Trusted forest information was modified. Note: This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName". |
| 805 | The event log service read the security log configuration for a session. |