Hi all,I'm currently analyzing Windows Server 2008 audit capabilities and I'm seeing that no events are stored in Security Event Log (regardless all audit policies are enabled) when someone changes anything in "Security Options" of "Local Policies".Is this normal? A change in the security behaviour of the system should be audited, isn't it?All my tests have been done in a standalone machine (not in a domain).Thanks in advanceKindly,--Marc

Hello Marc, You can enable the "Audit policy change" audit policy to log the success or failure of the user right assignment policies and audit policies. However, it doesn't audit the policies that reside in the Security Options. Windows will log a event 4717 that indicates Authentication Policy Change. Event 4717 ------------------------- System security access was granted to an account. Subject:Security ID:SYSTEMAccount Name:COMPUTERNAMEAccount Domain:DOMAINNAMELogon ID:0x3e7 Account Modified:Account Name:Domain/username Access Granted:Access Right:Granted right ------------------------- Hope it helps.

Miles Li MSFT wrote: You can enable the "Audit policy change" audit policy to log the success or failure of the user right assignment policies and audit policies. However, it doesn't audit the policies that reside in the Security Options. True. Is what I have seen on my tests. Thanks for your confirmation.Kindly,--Marc