I found the following -
AuditPolicyChange: A security setting that determines whether the operating system MUST audit each instance of user attempts to change user rights assignment policy, audit policy, account policy, or trust policy. The administrator can specify to audit only successes, only failures, both successes and failures, or to not audit these events at all (that is, neither successes nor failures). If Success auditing is enabled, an audit entry MUST be logged when an attempted change to user rights assignment policy, audit policy, or trust policy is successful. If Failure auditing is enabled, an audit entry MAY be logged when a change to user rights assignment policy, audit policy, or trust policy is attempted by an account that is not authorized to make the requested policy change.
So, therefore, with a setting of %%8448 and %%8451 all successful and failed attempts to add to (1) user rights assignment policy, (2) audit policy, (3) account policy, or (4) trust policy MUST be logged.
This raises two additional questions:
- How do we account for data that has been changed/modified but not merely just added or removed?
- How to we differentiate between (1) user rights assignment policy, (2) audit policy, (3) account policy, and (4) trust policy?