Audit Authentication Policy Change


Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy.

Changes made to authentication policy include:

  • Creation, modification, and removal of forest and domain trusts.

  • Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.


    The audit event is logged when the policy is applied, not when settings are modified by the administrator.

  • When any of the following user rights is granted to a user or group:

    • Access this computer from the network

    • Allow logon locally

    • Allow logon through Remote Desktop

    • Logon as a batch job

    • Logon as a service

  • Namespace collision, such as when an added trust collides with an existing namespace name.

This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.

Event volume: Low

Default: Success

If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the Applies to list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista.

Event ID

Event message


Kerberos policy was changed.


Trusted domain information was modified.


System security access was granted to an account.


System security access was removed from an account.


Domain Policy was changed.


A namespace collision was detected.


A trusted forest information entry was added.


A trusted forest information entry was removed.


A trusted forest information entry was modified.

Advanced Security Audit Policy Settings