Auditing of Policy Change: Authorization Policy Change events on failure should be enabled or disabled as appropriate. This security policy setting determines whether the operating system generates audit events when the following changes are made to the authorization policy: Assigning or removing of user rights (privileges) such as SeCreateTokenPrivilege, except for the system access rights that are audited by using the Audit Authentication Policy Change subcategory. Changing the Encrypting File System (EFS) policy. If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. Fix: (1) GPO: Commandline: auditpol.exe (2) REG: NO INFO