Audit Authentication Policy Change
Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy.
Changes made to authentication policy include:
Creation, modification, and removal of forest and domain trusts.
Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.
When any of the following user logon rights is granted to a user or group:
Access this computer from the network
Allow logon locally
Allow logon through Remote Desktop
Logon as a batch job
Logon as a service
Namespace collision, such as when an added trust collides with an existing namespace name.
This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.
Event volume: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | Yes | No | Yes | No | On domain controllers, it is important to enable Success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | On member servers it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | On workstations it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Events List:
4670(S): Permissions on an object were changed
4706(S): A new trust was created to a domain.
4707(S): A trust to a domain was removed.
4716(S): Trusted domain information was modified.
4713(S): Kerberos policy was changed.
4717(S): System security access was granted to an account.
4718(S): System security access was removed from an account.
4739(S): Domain Policy was changed.
4864(S): A namespace collision was detected.
4865(S): A trusted forest information entry was added.
4866(S): A trusted forest information entry was removed.
4867(S): A trusted forest information entry was modified.