WinSecWiki > Security Settings > Local Policies > Security Options > Audit > Audit the use of Backup and Restore privilege

Audit: Audit the use of Backup and Restore privilege

Enabling, this policy has no effect unless Audit privilege use events is also enabled. 

By default there are a number of high volume rights that Windows does not audit even when you enable Audit privilege use. Enabling this policy makes Windows audit the use of high volume rights, SeBackupPrivilege and SeRestorePrivilege. Enabling this policy results in an event being logged for every object on the system affected by backups. I recommend against enabling this policy since it will only greatly increase the noise of the already noisy and low value Audit privilege use policy. 

It is unclear whether enabling this policy also enables the audit of: 

Bottom line

I don't recommend enabling this policy because it generates even more events in a category that is already basically all noise anyway. I actually recommend disabling Audit privilege use.

Back to top


Additional Resources