Any suggestions? Export (0) Print
Expand All

Audit Authorization Policy Change

Updated: June 15, 2009

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system generates audit events when the following changes are made to the authorization policy:

  • Assigning or removing of user rights (privileges) such as SeCreateTokenPrivilege, except for the system access rights that are audited by using the Audit Authentication Policy Change subcategory.

  • Changing the Encrypting File System (EFS) policy.

Event volume: Low

Default: Not configured

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.


Event ID Event message


A user right was assigned.


A user right was removed.


A new trust was created to a domain.


A trust to a domain was removed.


Encrypted data recovery policy was changed.

Community Additions

© 2015 Microsoft