Audit policy change

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Vista

Audit policy change

Description

This security setting determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.

If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies fails.

To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Default:

  • Success on domain controllers.

  • No auditing on member servers.

Configuring this security setting

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\

For specific instructions about how to configure auditing policy settings, see Define or modify auditing policy settings for an event category.

Policy Change Events Description

608

A user right was assigned.

609

A user right was removed.

610

A trust relationship with another domain was created.

611

A trust relationship with another domain was removed.

612

An audit policy was changed.

613

An Internet Protocol security (IPSec) policy agent started.

614

An IPSec policy agent was disabled.

615

An IPSec policy agent changed.

616

An IPSec policy agent encountered a potentially serious failure.

617

A Kerberos policy changed.

618

Encrypted Data Recovery policy changed.

620

A trust relationship with another domain was modified.

621

System access was granted to an account.

622

System access was removed from an account.

623

Per user auditing policy was set for a user.

For information about per user selective auditing, see Per-user selective auditing.

625

Per user audit policy was refreshed.

768

A collision was detected between a namespace element in one forest and a namespace element in another forest.

Note

  • When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.

769

Trusted forest information was added.

Note

  • This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".

770

Trusted forest information was deleted.

Note

  • See note for event 769.

771

Trusted forest information was modified.

Note

  • See note for event 769.

805

The event log service read the security log configuration for a session.

For more information about security events, see Security Events in the Microsoft Windows Resource Kits on the Microsoft Web site.

For more information, see: