Audit Authentication Policy Change
Applies To: Windows 7, Windows Server 2008 R2
This security policy setting determines whether the operating system generates audit events when changes are made to authentication policy, including:
Creation, modification, and removal of forest and domain trusts.
Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.
Note
The audit event is logged when the policy is applied, not when settings are modified by the administrator.
When any of the following user rights are granted to a user or group:
Access this computer from the network
Allow logon locally
Allow logon through Remote Desktop
Logon as a batch job
Logon as a service
Namespace collision, such as when an added trust collides with an existing namespace name.
This setting is useful for tracking changes in domain and forest level trust and privileges granted to user accounts or groups.
Event volume: Low
Default: Success
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
Event ID | Event message |
---|---|
4713 |
Kerberos policy was changed. |
4716 |
Trusted domain information was modified. |
4717 |
System security access was granted to an account. |
4718 |
System security access was removed from an account. |
4739 |
Domain Policy was changed. |
4864 |
A namespace collision was detected. |
4865 |
A trusted forest information entry was added. |
4866 |
A trusted forest information entry was removed. |
4867 |
A trusted forest information entry was modified. |