Audit Audit Policy Change

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system generates audit events when changes are made to audit policy, including:

  • Permissions and audit settings on the audit policy object (by using auditpol /set /sd).

  • Changing the system audit policy.

  • Registration and de-registration of security event sources.

  • Changing per-user audit settings.

  • Changing the value of CrashOnAuditFail.

  • Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key.)

Note

SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing is performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.

  • Changes made to the Special Groups list.

Important

Changes to the audit policy are critical security events.

Event volume: Low

Default: Success

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista, unless otherwise noted.

Event ID Event message

4715

The audit policy (SACL) on an object was changed.

4719

System audit policy was changed.

4817

Auditing settings on an object were changed.

Note
This event is logged only on computers running Windows Server 2008 R2 or Windows 7.

4902

The Per-user audit policy table was created.

4904

An attempt was made to register a security event source.

4905

An attempt was made to unregister a security event source.

4906

The CrashOnAuditFail value has changed.

4907

Auditing settings on object were changed.

4908

Special Groups Logon table modified.

4912

Per User Audit Policy was changed.