3.1.4 Higher-Layer Triggered Events
The administrative-side plug-in is triggered when an administrator starts an administrative tool. The plug-in displays the current settings to the administrator, and when the administrator requests a change in settings, the plug-in updates the stored configuration appropriately as specified in section 2.2.
For both viewing and editing settings, the administrative-side plug-in MUST first open the specified GPO to fetch its network path. The plug-in MUST attempt to read an audit.csv file with the settings from the following location (for viewing) or write to the following location (for editing): <gpo path>\Microsoft\Windows NT\Audit\audit.csv (where <gpo path> is the computer-scoped Group Policy Object path, if the computer settings are being viewed or updated).
File reads and writes MUST be performed, as specified in [MS-GPOL] section 3.3. File names and paths SHOULD be regarded as case-insensitive. If the copy fails, the administrative-side plug-in MUST display to the user that the operation failed.