Audit Audit Policy Change
Updated: July 3, 2013
Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy.
Changes to audit policy that are audited include:
Changing permissions and audit settings on the audit policy object (by using auditpol /set /sd).
Changing the system audit policy.
Registering and unregistering security event sources.
Changing per-user audit settings.
Changing the value of CrashOnAuditFail.
Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key).
SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
Changing anything in the Special Groups list.
Changes to the audit policy are critical security events.
Event volume: Low
If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the Applies to list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista, unless otherwise noted.
The audit policy (SACL) on an object was changed.
System audit policy was changed.
Auditing settings on an object were changed.
The Per-user audit policy table was created.
An attempt was made to register a security event source.
An attempt was made to unregister a security event source.
The CrashOnAuditFail value has changed.
Auditing settings on object were changed.
Special Groups Logon table modified.
Per User Audit Policy was changed.