|Product:||Windows Operating System|
|Component:||Security Event Log|
|Message:||Audit Policy Change: New Policy: Success Failure %3 %4 Logon/Logoff %5 %6 Object Access %7 %8 Privilege Use %13 %14 Account Management %11 %12 Policy Change %1 %2 System %9 %10 Detailed Tracking %15 %16 Directory Service Access %17 %18 Account Logon Changed By: User Name: %19 Domain Name: %20 Logon ID: %21|
This event record indicates that an audit policy was changed. The actual changes are shown in the audit log file.
Changing an audit policy can have serious security implications. Audit policies changed by a user who is not trusted can be a security risk.
The person with administrative rights for the computer should make sure the user is supposed to have the privilege to change audit policies.
The audit log should be checked to make sure the audit change does not have an adverse impact.