Events
Apr 8, 3 PM - May 28, 7 AM
Sharpen your AI skills and enter the sweepstakes to win a free Certification exam
Register now!Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The POLICY_AUDIT_EVENT_TYPE enumeration defines values that indicate the types of events the system can audit. The LsaQueryInformationPolicy and LsaSetInformationPolicy functions use this enumeration when their InformationClass parameters are set to PolicyAuditEventsInformation.
typedef enum _POLICY_AUDIT_EVENT_TYPE {
AuditCategorySystem = 0,
AuditCategoryLogon,
AuditCategoryObjectAccess,
AuditCategoryPrivilegeUse,
AuditCategoryDetailedTracking,
AuditCategoryPolicyChange,
AuditCategoryAccountManagement,
AuditCategoryDirectoryServiceAccess,
AuditCategoryAccountLogon
} POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE;
AuditCategorySystemValue: 0 Determines whether the operating system must audit any of the following attempts:
|
AuditCategoryLogonDetermines whether the operating system must audit each time this computer validates the credentials of an account. Account logon events are generated whenever a computer validates the credentials of one of its local accounts. The credential validation can be in support of a local logon or, in the case of an Active Directory domain account on a domain controller, can be in support of a logon to another computer. Audited events for local accounts must be logged on the local security log of the computer. Account logoff does not generate an event that can be audited. |
AuditCategoryObjectAccessDetermines whether the operating system must audit each instance of user attempts to access a non-Active Directory object, such as a file, that has its own system access control list (SACL) specified. The type of access request, such as Write, Read, or Modify, and the account that is making the request must match the settings in the SACL. |
AuditCategoryPrivilegeUseDetermines whether the operating system must audit each instance of user attempts to use privileges. |
AuditCategoryDetailedTrackingDetermines whether the operating system must audit specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit. |
AuditCategoryPolicyChangeDetermines whether the operating system must audit attempts to change Policy object rules, such as user rights assignment policy, audit policy, account policy, or trust policy. |
AuditCategoryAccountManagementDetermines whether the operating system must audit attempts to create, delete, or change user or group accounts. Also, audit password changes. |
AuditCategoryDirectoryServiceAccessDetermines whether the operating system must audit attempts to access the directory service. The Active Directory object has its own SACL specified. The type of access request, such as Write, Read, or Modify, and the account that is making the request must match the settings in the SACL. |
AuditCategoryAccountLogonDetermines whether the operating system must audit each instance of a user attempt to log on or log off this computer. Also audits logon attempts by privileged accounts that log on to the domain controller. These audit events are generated when the Kerberos Key Distribution Center (KDC) logs on to the domain controller. Logoff attempts are generated whenever the logon session of a logged-on user account is terminated. |
The POLICY_AUDIT_EVENT_TYPE enumeration may expand in future versions of Windows. Because of this, you should not compute the number of values in this enumeration directly. Instead, you should obtain the count of values by calling LsaQueryInformationPolicy with the InformationClass parameter set to PolicyAuditEventsInformation and extract the count from the MaximumAuditEventCount member of the returned POLICY_AUDIT_EVENTS_INFO structure.
| Requirement | Value |
|---|---|
| Minimum supported client | Windows XP [desktop apps only] |
| Minimum supported server | Windows Server 2003 [desktop apps only] |
| Header | ntsecapi.h |