Policy Change Events

Policy change events include security event messages involving trust relationships, IPSec policy, and user rights assignments.

IPSec policy involves settings that need to be applied to the computer. The IPSec audits include filters (what traffic should be processed by IPSec) and filter actions (such as encryption or authentication).

For more information about the user rights that are being audited, see the appendix User Rights in this book.

608 A user right was assigned.

Parameters: User, right, assigned to, assigned by (includes user name, domain name, and logon ID).

Configurable Information: Success

Formal name: SE_AUDITID_USER_RIGHT_ASSIGNED

609 A user right was removed.

Parameters: User, right, assigned to, assigned by (includes user name, domain, and logon ID).

Configurable Information: Success

Formal name: SE_AUDITID_USER_RIGHT_REMOVED

610 A trust relationship with another domain was created.

Parameters: New trusted domain (domain name, domain ID), established by (user name, domain name, logon ID), trust type, trust direction, trust attributes.

Configurable Information: Success

Formal name: SE_AUDITID_TRUSTED_DOMAIN_ADD

This event is recorded on the domain controller on which the trusted domain object (TDO) is created and not on any other domain controller to which the TDO is replicated.

611 A trust relationship with another domain was removed.

Parameters: Trusted domain removed (domain name, domain ID), removed by (user name, domain name, logon ID).

Configurable Information: Success

Formal name: SE_AUDITID_TRUSTED_DOMAIN_REM

This event is only recorded on the domain controller on which the trusted domain object (TDO) is deleted.

612 An audit policy was changed.

Parameters: New policy (includes success, failure, or both for logon/logoff, object access, privilege use, account management, policy change, system, detailed tracking, directory service, access, account logon), changed by (user name, domain name, logon ID).

Configurable Information: Success

Formal name: SE_AUDITID_AUDIT_POLICY_CHANGE

The new policy is described in the audit body.

613 An IPSec policy agent started.

Parameters: Policy source.

Configurable Information: Success

Formal name: SE_AUDITID_IPSEC_POLICY_START

614 An IPSec policy agent was disabled.

Parameters: Policy source.

Configurable Information: Success

Formal name: SE_AUDITID_IPSEC_POLICY_DISABLED

615 An IPSec policy agent changed.

Parameters: Policy source.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_IPSEC_POLICY_CHANGED

616 An IPSec policy agent encountered a potentially serious failure.

Parameters: Policy source.

Configurable Information: Failure

Formal name: SE_AUDITID_IPSEC_POLICY_FAILURE

617 A Kerberos policy changed.

Parameters: Changed by (user name, domain name, logon ID).

Configurable Information: Success

Formal name: SE_AUDITID_KERBEROS_POLICY_CHANGE

618 Encrypted Data Recovery policy changed.

Parameters: Changed by (user name, domain name, logon ID).

Configurable Information: Success

Formal name: SE_AUDITID_EFS_POLICY_CHANGE

620 A trust relationship with another domain was modified.

Parameters: Trusted domain information modified (domain name, domain ID), modified by (user name, domain name, logon ID), trust type, trust direction, trust attributes.

Configurable Information: Success

Formal name: SE_AUDITID_TRUSTED_DOMAIN_MOD

This event is only recorded on the domain controller on which the trusted domain object (TDO) is modified.

621 System access was granted to an account.

Parameters: Access granted, account modified, assigned by (user name, domain name, and logon ID).

Configurable Information: Success

Formal name: SE_AUDITID_SYSTEM_ACCESS_GRANTED

System access permissions can be interactive, network, batch, service, proxy, deny interactive, deny network, deny batch, deny service, remote interactive, or deny remote interactive.

622 System access was removed from an account.

Parameters: Access removed, account modified, assigned by (user name, domain name, and logon ID).

Configurable Information: Success

Formal name: SE_AUDITID_SYSTEM_ACCESS_REMOVED

System access permissions can be interactive, network, batch, service, proxy, deny interactive, deny network, deny batch, deny service, remote interactive, or deny remote interactive.

768 A collision was detected between a namespace element in one forest and a namespace element in another forest.

Parameters: Target type, target name, forest root, top level name, DNS name, NetBIOS name, SID, new flags.

Configurable Information: Failure

Formal name: SE_AUDITID_NAMESPACE_COLLISION

When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each namespace element. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for a TopLevelName namespace element.

769 Trusted forest information was added.

Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, added by, client user name, client domain, client logon ID.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_ADD

This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type TopLevelName .

770 Trusted forest information was deleted.

Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, deleted by, client user name, client domain, client logon ID.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_REM

This event message is generated when forest trust information is updated and one or more entries are deleted. One event message is generated per deleted entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for an entry of type TopLevelName .

771 Trusted forest information was modified.

Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, added by, client user name, client domain, client logon ID.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_MOD

This event message is generated when forest trust information is updated and one or more entries are modified. One event message is generated per modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type TopLevelName .