Audit Authentication Policy Change

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system generates audit events when changes are made to authentication policy, including:

  • Creation, modification, and removal of forest and domain trusts.

  • Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.

Note

The audit event is logged when the policy is applied, not when settings are modified by the administrator.

  • When any of the following user rights are granted to a user or group:

    • Access this computer from the network

    • Allow logon locally

    • Allow logon through Remote Desktop

    • Logon as a batch job

    • Logon as a service

  • Namespace collision, such as when an added trust collides with an existing namespace name.

This setting is useful for tracking changes in domain and forest level trust and privileges granted to user accounts or groups.

Event volume: Low

Default: Success

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID Event message

4713

Kerberos policy was changed.

4716

Trusted domain information was modified.

4717

System security access was granted to an account.

4718

System security access was removed from an account.

4739

Domain Policy was changed.

4864

A namespace collision was detected.

4865

A trusted forest information entry was added.

4866

A trusted forest information entry was removed.

4867

A trusted forest information entry was modified.