Audit Authorization Policy Change

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system generates audit events when the following changes are made to the authorization policy:

  • Assigning or removing of user rights (privileges) such as SeCreateTokenPrivilege, except for the system access rights that are audited by using the Audit Authentication Policy Change subcategory.

  • Changing the Encrypting File System (EFS) policy.

Event volume: Low

Default: Not configured

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID Event message


A user right was assigned.


A user right was removed.


A new trust was created to a domain.


A trust to a domain was removed.


Encrypted data recovery policy was changed.