Audit Audit Policy Change

This security policy setting determines whether the operating system generates audit events when changes are made to audit policy, including:

  • Permissions and audit settings on the audit policy object (by using auditpol /set /sd). 
  • Changing the system audit policy. 
  • Registration and de-registration of security event sources. 
  • Changing per-user audit settings. 
  • Changing the value of CrashOnAuditFail. 
  • Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key.)


Note: SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing is performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.Changes made to the Special Groups list.
Important: Changes to the audit policy are critical security events.
Event volume: Low
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista, unless otherwise noted.

  • 4715: The audit policy (SACL) on an object was changed.
  • 4719: System audit policy was changed.
  • 4817: Auditing settings on an object were changed. (Note: This event is logged only on computers running Windows Server 2008 R2 or Windows 7.)
  • 4902: The Per-user audit policy table was created.
  • 4904: An attempt was made to register a security event source.
  • 4905: An attempt was made to unregister a security event source.
  • 4906: The CrashOnAuditFail value has changed.
  • 4907: Auditing settings on object were changed.
  • 4908: Special Groups Logon table modified.
  • 4912: Per User Audit Policy was changed.

Scope: 

Computer

Default: 

Success

Related content