Policy change events include security event messages involving trust relationships, IPSec policy, and user rights assignments.
IPSec policy involves settings that need to be applied to the computer. The IPSec audits include filters (what traffic should be processed by IPSec) and filter actions (such as encryption or authentication).
For more information about the user rights that are being audited, see the appendix User Rights in this book.
Parameters: User, right, assigned to, assigned by (includes user name, domain name, and logon ID).
Configurable Information: Success
Formal name: SE_AUDITID_USER_RIGHT_ASSIGNED
Parameters: User, right, assigned to, assigned by (includes user name, domain, and logon ID).
Configurable Information: Success
Formal name: SE_AUDITID_USER_RIGHT_REMOVED
Parameters: New trusted domain (domain name, domain ID), established by (user name, domain name, logon ID), trust type, trust direction, trust attributes.
Configurable Information: Success
Formal name: SE_AUDITID_TRUSTED_DOMAIN_ADD
This event is recorded on the domain controller on which the trusted domain object (TDO) is created and not on any other domain controller to which the TDO is replicated.
Parameters: Trusted domain removed (domain name, domain ID), removed by (user name, domain name, logon ID).
Configurable Information: Success
Formal name: SE_AUDITID_TRUSTED_DOMAIN_REM
This event is only recorded on the domain controller on which the trusted domain object (TDO) is deleted.
Parameters: New policy (includes success, failure, or both for logon/logoff, object access, privilege use, account management, policy change, system, detailed tracking, directory service, access, account logon), changed by (user name, domain name, logon ID).
Configurable Information: Success
Formal name: SE_AUDITID_AUDIT_POLICY_CHANGE
The new policy is described in the audit body.
Parameters: Policy source.
Configurable Information: Success
Formal name: SE_AUDITID_IPSEC_POLICY_START
Parameters: Policy source.
Configurable Information: Success
Formal name: SE_AUDITID_IPSEC_POLICY_DISABLED
Parameters: Policy source.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_IPSEC_POLICY_CHANGED
Parameters: Policy source.
Configurable Information: Failure
Formal name: SE_AUDITID_IPSEC_POLICY_FAILURE
Parameters: Changed by (user name, domain name, logon ID).
Configurable Information: Success
Formal name: SE_AUDITID_KERBEROS_POLICY_CHANGE
Parameters: Changed by (user name, domain name, logon ID).
Configurable Information: Success
Formal name: SE_AUDITID_EFS_POLICY_CHANGE
Parameters: Trusted domain information modified (domain name, domain ID), modified by (user name, domain name, logon ID), trust type, trust direction, trust attributes.
Configurable Information: Success
Formal name: SE_AUDITID_TRUSTED_DOMAIN_MOD
This event is only recorded on the domain controller on which the trusted domain object (TDO) is modified.
Parameters: Access granted, account modified, assigned by (user name, domain name, and logon ID).
Configurable Information: Success
Formal name: SE_AUDITID_SYSTEM_ACCESS_GRANTED
System access permissions can be interactive, network, batch, service, proxy, deny interactive, deny network, deny batch, deny service, remote interactive, or deny remote interactive.
Parameters: Access removed, account modified, assigned by (user name, domain name, and logon ID).
Configurable Information: Success
Formal name: SE_AUDITID_SYSTEM_ACCESS_REMOVED
System access permissions can be interactive, network, batch, service, proxy, deny interactive, deny network, deny batch, deny service, remote interactive, or deny remote interactive.
Parameters: Target type, target name, forest root, top level name, DNS name, NetBIOS name, SID, new flags.
Configurable Information: Failure
Formal name: SE_AUDITID_NAMESPACE_COLLISION
When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each namespace element. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for a TopLevelName namespace element.
Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, added by, client user name, client domain, client logon ID.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_ADD
This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type TopLevelName .
Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, deleted by, client user name, client domain, client logon ID.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_REM
This event message is generated when forest trust information is updated and one or more entries are deleted. One event message is generated per deleted entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for an entry of type TopLevelName .
Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, added by, client user name, client domain, client logon ID.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_MOD
This event message is generated when forest trust information is updated and one or more entries are modified. One event message is generated per modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type TopLevelName .