Audit Option Type

This section defines the advanced audit options that are part of the audit policy. The syntax for the entries in this category MUST be as follows.

 AuditOptionType = String

The value of AuditOptionType MUST be one of the following:




This audit option specifies whether the client shuts down if it is unable to log security events. If this security setting is enabled, it causes the client to stop if a security audit cannot be logged for any reason.


This audit option specifies whether the client generates an event when one or more of these privileges are assigned to a user security token:

  1. AssignPrimaryTokenPrivilege

  2. AuditPrivilege

  3. BackupPrivilege

  4. CreateTokenPrivilege

  5. DebugPrivilege

  6. EnableDelegationPrivilege

  7. ImpersonatePrivilege

  8. LoadDriverPrivilege

  9. RestorePrivilege

  10. SecurityPrivilege

  11. SystemEnvironmentPrivilege

  12. TakeOwnershipPrivilege

  13. TcbPrivilege


This security setting specifies whether to audit the access of global system objects. If this audit option is enabled, it causes system objects, such as mutexes, events, semaphores, and DOS devices, to be created with a default system access control list (SACL). Only named objects are given a SACLs; SACL are not given to objects without names. If the Kernel Object audit subcategory is also enabled, access to these system objects is audited.


The AuditBaseDirectories option specifies that named kernel objects (such as mutexes and semaphores) are to be given SACLs when they are created. AuditBaseDirectories affects container objects while AuditBaseObjects affects objects that cannot contain other objects.