Audit User Rights

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

By default, auditing of all user rights is not enabled regardless of the settings in the audit policy. Therefore, if a user has the right to back up files, that user can access any file on the system; this would not be captured by auditing. To audit the use of such rights, apply following.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name: FullPrivilegeAuditing
Type: REG_DWORD
Value: 1

Caution: because of the Bypass Traverse Checking right, this will fill the audit log FAST.

See Also

Featured Links