Audit Authorization Policy Change

This security policy setting determines whether the operating system generates audit events when the following changes are made to the authorization policy:

  • Assigning or removing of user rights (privileges) such as SeCreateTokenPrivilege, except for the system access rights that are audited by using the Audit Authentication Policy Change subcategory. 
  • Changing the Encrypting File System (EFS) policy. 


Event volume: Low
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

  • 4704: A user right was assigned.
  • 4705: A user right was removed.
  • 4706: A new trust was created to a domain.
  • 4707: A trust to a domain was removed.
  • 4714: Encrypted data recovery policy was changed.

Scope: 

Computer

Default: 

Not configured

Related content