WinSecWiki > Security Settings > Local Policies > Audit Policy > Policy Change

Audit Policy Change

The Audit policy change policy provides notification of changes to important security policies on the local system, such as changes to the system’s audit policy or, when the local system is a DC, changes to trust relationships.

The following is an exerpt from my book, The Windows Security Log Revealed :

The Policy Change category provides notification of changes to important security policies on the local system, such as to the system’s audit policy or, in the case of DCs, to trust relationships.

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom Line

Windows XP, 2000 and 2003: I recommend enabling this policy for success on all computers including workstations. We have not observed any failure events in this category.
Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Policy Change (Windows Server 2008 and Vista).

Child articles:

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Policy Change

•	Audit
•	Authentication
•	Authorization
•	MPSSVC Rule-Level
•	Filtering Platform
•	Other Policy Change Events

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.