Audit Authentication Policy Change

This security policy setting determines whether the operating system generates audit events when changes are made to authentication policy, including:

  • Creation, modification, and removal of forest and domain trusts. 
  • Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. (Note: The audit event is logged when the policy is applied, not when settings are modified by the administrator.)
  • When any of the following user rights are granted to a user or group: 
    • Access this computer from the network
    • Allow logon locally
    • Allow logon through Remote Desktop
    • Logon as a batch job
    • Logon as a service
  • Namespace collision, such as when an added trust collides with an existing namespace name. 


This setting is useful for tracking changes in domain and forest level trust and privileges granted to user accounts or groups.
Event volume: Low
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

  • 4713: Kerberos policy was changed.
  • 4716: Trusted domain information was modified.
  • 4717: System security access was granted to an account.
  • 4718: System security access was removed from an account.
  • 4739: Domain Policy was changed.
  • 4864: A namespace collision was detected.
  • 4865: A trusted forest information entry was added.
  • 4866: A trusted forest information entry was removed.
  • 4867: A trusted forest information entry was modified.

Scope: 

Computer

Default: 

Success

Related content