2.2.4.4 LSAPR_POLICY_AUDIT_EVENTS_INFO
The LSAPR_POLICY_AUDIT_EVENTS_INFO structure contains auditing options on the server.
-
typedef struct _LSAPR_POLICY_AUDIT_EVENTS_INFO { unsigned char AuditingMode; [size_is(MaximumAuditEventCount)] unsigned long* EventAuditingOptions; [range(0,1000)] unsigned long MaximumAuditEventCount; } LSAPR_POLICY_AUDIT_EVENTS_INFO, *PLSAPR_POLICY_AUDIT_EVENTS_INFO;
AuditingMode: 0 indicates that auditing is disabled. All other values indicate that auditing is enabled.
EventAuditingOptions: An array of values specifying the auditing options for a particular audit type. The auditing type of an element is represented by its index in the array, which is identified by the POLICY_AUDIT_EVENT_TYPE enumeration (see section 2.2.4.20). Each element MUST contain one or more of the values in the table below.
-
If the MaximumAuditEventCount field has a value other than 0, this field MUST NOT be NULL.
-
Value
Meaning
POLICY_AUDIT_EVENT_UNCHANGED
0x00000000
Leave existing auditing options unchanged for events of this type; used only for set operations. This value cannot be combined with values in this table.
POLICY_AUDIT_EVENT_NONE
0x00000004
Upon updates, this value causes the existing auditing options for events of this type to be deleted and replaced with any other new values specified. If specified by itself, this value cancels all auditing options for events of this type. This value is used only for set operations.
POLICY_AUDIT_EVENT_SUCCESS
0x00000001
When auditing is enabled, audit all successful occurrences of events of the given type.
POLICY_AUDIT_EVENT_FAILURE
0x00000002
When auditing is enabled, audit all unsuccessful occurrences of events of the given type.
MaximumAuditEventCount: The number of entries in the EventAuditingOptions array.<23>