question

JeffRemling-3256 avatar image
0 Votes"
JeffRemling-3256 asked LimitlessTechnology-2700 answered

Audit Policy Changes

The Audit Policy Changes subcategory has a table with 12 entries, such as:
%%8448 Success removed
%%8449 Success added
%%8450 Failure removed
%%8451 Failure added
. . . .

Can anyone point me to documentation on exactly what these descriptions mean? My first thoughts that a Success Added meant either an entry was successfully added to an auditable log, or a new policy was successfully added. However, "Success Added" is often in combination with "Failure Added." Any help would be greatly appreciated, and thank you.

windows-10-generalwindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeffRemling-3256 avatar image
0 Votes"
JeffRemling-3256 answered

I found the following -

AuditPolicyChange: A security setting that determines whether the operating system MUST audit each instance of user attempts to change user rights assignment policy, audit policy, account policy, or trust policy. The administrator can specify to audit only successes, only failures, both successes and failures, or to not audit these events at all (that is, neither successes nor failures). If Success auditing is enabled, an audit entry MUST be logged when an attempted change to user rights assignment policy, audit policy, or trust policy is successful. If Failure auditing is enabled, an audit entry MAY be logged when a change to user rights assignment policy, audit policy, or trust policy is attempted by an account that is not authorized to make the requested policy change.

So, therefore, with a setting of %%8448 and %%8451 all successful and failed attempts to add to (1) user rights assignment policy, (2) audit policy, (3) account policy, or (4) trust policy MUST be logged.

This raises two additional questions:
1. How do we account for data that has been changed/modified but not merely just added or removed?
2. How to we differentiate between (1) user rights assignment policy, (2) audit policy, (3) account policy, and (4) trust policy?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello Jeff R,

This may mean that even the policy was applied correctly, it reported a failure at some level (meaning that everything may work fine, and just a "General Success" was applied)

I would recommend to monitor your policy to check any inconsistencies.



--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.